Total
1567 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25235 | 1 Smartwares | 1 Home Easy | 2026-04-15 | 9.8 Critical |
| Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information. | ||||
| CVE-2025-6942 | 1 Delinea | 1 Secret Server | 2026-04-15 | 3.8 Low |
| The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine. | ||||
| CVE-2025-40676 | 1 Bbmri-eric | 1 Negotiator | 2026-04-15 | N/A |
| Insecure Direct Object Reference (IDOR) in Negotiator v3.15.2 from Biobanking and Biomolecular Resources - European Research Infrastructure (BBMRI-ERIC). This vulnerability allows an attacker to access or modify unauthorised resources by manipulating requests that use the 'userID' parameter in '/api/v3/users/<userID>', which may result in the exposure or alteration of sensitive data | ||||
| CVE-2025-51628 | 2026-04-15 | 7.5 High | ||
| Insecure Direct Object Reference (IDOR) vulnerability in PdfHandler component in Agenzia Impresa Eccobook v2.81.1 and below allows unauthenticated attackers to read confidential documents via the DocumentoId parameter. | ||||
| CVE-2026-24634 | 2 Rustaurius, Wordpress | 2 Ultimate Reviews, Wordpress | 2026-04-15 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through <= 3.2.16. | ||||
| CVE-2025-40805 | 1 Siemens | 24 Industrial Edge Cloud Device (iecd), Industrial Edge Device Kit, Industrial Edge Own Device (ieod) and 21 more | 2026-04-15 | 10 Critical |
| Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. | ||||
| CVE-2025-11517 | 2 Theeventscalendar, Wordpress | 2 Event Tickets, Wordpress | 2026-04-15 | 7.5 High |
| The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target. | ||||
| CVE-2024-12046 | 2026-04-15 | 4.3 Medium | ||
| The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts. | ||||
| CVE-2024-9617 | 1 Danswer-ai | 1 Danswer | 2026-04-15 | N/A |
| An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file. | ||||
| CVE-2025-8057 | 1 Patika Global Technologies | 1 Humansuite | 2026-04-15 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client.This issue affects HumanSuite: before 53.21.0. | ||||
| CVE-2025-12071 | 2 Absikandar, Wordpress | 2 Frontend User Notes, Wordpress | 2026-04-15 | 4.3 Medium |
| The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them. | ||||
| CVE-2025-12623 | 1 Fushengqian | 1 Fuint | 2026-04-15 | 3.1 Low |
| A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | ||||
| CVE-2024-2261 | 2026-04-15 | 4.3 Medium | ||
| The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including emails and street addresses. | ||||
| CVE-2021-27700 | 2026-04-15 | 7.6 High | ||
| SOCIFI Socifi Guest wifi as SAAS wifi portal is affected by Insecure Permissions. Any authorized customer with partner mode can switch to another customer dashboard and perform actions like modify user, delete user, etc. | ||||
| CVE-2025-9062 | 1 Mecode Informatics And Engineering Services | 1 Envanty | 2026-04-15 | 7.3 High |
| Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and Engineering Services Ltd. Envanty allows Parameter Injection.This issue affects Envanty: before 1.0.6. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. The vulnerability was learned to be remediated through reporter information and testing. | ||||
| CVE-2025-40650 | 2026-04-15 | N/A | ||
| Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards. | ||||
| CVE-2024-43315 | 1 Checkoutplugins | 1 Stripe Payments For Woocommerce | 2026-04-15 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Checkout Plugins Stripe Payments For WooCommerce by Checkout.This issue affects Stripe Payments For WooCommerce by Checkout: from n/a through 1.9.1. | ||||
| CVE-2025-0606 | 1 Logo Software | 1 Logo Cloud | 2026-04-15 | 6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure.This issue affects Logo Cloud: before 0.67. | ||||
| CVE-2025-4129 | 2026-04-15 | 7.5 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025. | ||||
| CVE-2024-34383 | 2026-04-15 | 5.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in The SEO Guys at SEOPress SEOPress.This issue affects SEOPress: from n/a through 7.7.1. | ||||