Total
8262 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40726 | 2026-06-17 | 8.2 High | ||
| Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions. | ||||
| CVE-2024-31435 | 2026-06-17 | 4.3 Medium | ||
| : Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6. | ||||
| CVE-2025-69137 | 2026-06-17 | 6.5 Medium | ||
| Subscriber Broken Access Control in Genemy <= 1.6.6 versions. | ||||
| CVE-2026-8383 | 2026-06-17 | 5.3 Medium | ||
| The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request | ||||
| CVE-2026-39433 | 2026-06-17 | 6.5 Medium | ||
| Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions. | ||||
| CVE-2026-28587 | 1 Google | 1 Android | 2026-06-17 | N/A |
| In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-49057 | 2026-06-17 | 7.5 High | ||
| Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions. | ||||
| CVE-2026-40722 | 2026-06-17 | 5.5 Medium | ||
| Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6. | ||||
| CVE-2026-54802 | 2026-06-17 | 7.5 High | ||
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. | ||||
| CVE-2026-49081 | 2026-06-17 | 8.2 High | ||
| Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions. | ||||
| CVE-2026-45436 | 2026-06-17 | 6.5 Medium | ||
| Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions. | ||||
| CVE-2026-24610 | 2026-06-17 | 4.3 Medium | ||
| Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions. | ||||
| CVE-2026-0628 | 1 Google | 1 Chrome | 2026-06-17 | 8.8 High |
| Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | ||||
| CVE-2026-48969 | 2026-06-17 | 6.5 Medium | ||
| Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | ||||
| CVE-2026-48783 | 1 Gitroomhq | 1 Postiz-app | 2026-06-17 | 4.8 Medium |
| Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8. | ||||
| CVE-2026-38329 | 2026-06-17 | 9.8 Critical | ||
| Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server. | ||||
| CVE-2026-48797 | 2026-06-16 | N/A | ||
| Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI." and--share — documented as "expose the UI on a public address; requires --auth." When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 <training-host>) instead of --share for remote access, and audit any host previously launched with --share, re-issuing any HF tokens used during those sessions. | ||||
| CVE-2026-53851 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 5.3 Medium |
| OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input. | ||||
| CVE-2026-53844 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 6.5 Medium |
| OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session. | ||||
| CVE-2026-53850 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 5.5 Medium |
| OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels. | ||||