ReportizFlow
Filtered by vendor
Subscriptions
Total
1328 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-7092 | 1 Code-projects | 1 Invoice System In Laravel | 2026-04-29 | 6.3 Medium |
| A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-7292 | 1 O2oa | 1 O2oa | 2026-04-29 | 5.6 Medium |
| A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-21023 | 1 Samsung | 1 Mobile Devices | 2026-04-29 | N/A |
| Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application. | ||||
| CVE-2026-34315 | 1 Oracle | 1 Weblogic Server | 2026-04-28 | 6.5 Medium |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). | ||||
| CVE-2025-6027 | 2 Acewebx, Wordpress | 2 Ace User Management, Wordpress | 2026-04-28 | 6.3 Medium |
| The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators. | ||||
| CVE-2026-7142 | 1 Wooey | 1 Wooey | 2026-04-28 | 6.3 Medium |
| A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded. | ||||
| CVE-2025-67259 | 1 Classroomio | 1 Classroomio | 2026-04-28 | 6.5 Medium |
| A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST endpoint results in disclosure of sensitive information including other students details, tutor/admin profiles, and internal course metadata. | ||||
| CVE-2025-24178 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-04-28 | 9.8 Critical |
| This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, watchOS 11.4. An app may be able to break out of its sandbox. | ||||
| CVE-2026-7144 | 1 1000projects | 1 Portfolio Management System Mca | 2026-04-28 | 4.3 Medium |
| A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2025-31249 | 1 Apple | 1 Macos | 2026-04-28 | 7.1 High |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.5. An app may be able to access sensitive user data. | ||||
| CVE-2026-7109 | 1 Code-projects | 1 Invoice System In Laravel | 2026-04-28 | 5.3 Medium |
| A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. | ||||
| CVE-2025-31255 | 1 Apple | 9 Ios, Ipados, Iphone Os and 6 more | 2026-04-28 | 9.8 Critical |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, watchOS 26. An app may be able to access sensitive user data. | ||||
| CVE-2025-43231 | 1 Apple | 2 Macos, Macos Sonoma | 2026-04-28 | 5.5 Medium |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8. An app may be able to access user-sensitive data. | ||||
| CVE-2025-11855 | 1 Wordpress | 1 Wordpress | 2026-04-28 | 7.5 High |
| The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. | ||||
| CVE-2025-46289 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-28 | 5.5 Medium |
| A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data. | ||||
| CVE-2025-12573 | 1 Wordpress | 1 Wordpress | 2026-04-28 | 6.5 Medium |
| The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | ||||
| CVE-2026-6977 | 1 Vanna-ai | 1 Vanna | 2026-04-27 | 7.3 High |
| A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-7091 | 1 Code-projects | 1 Invoice System In Laravel | 2026-04-27 | 6.3 Medium |
| A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-7093 | 1 Code-projects | 1 Invoice System In Laravel | 2026-04-27 | 6.3 Medium |
| A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | ||||
| CVE-2026-5529 | 1 Dromara | 1 Lamp-cloud | 2026-04-24 | 4.3 Medium |
| A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||