Total
2639 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12925 | 1 Rymcu | 1 Forest | 2026-02-24 | 7.3 High |
| A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | ||||
| CVE-2025-12924 | 1 Rymcu | 1 Forest | 2026-02-24 | 4.3 Medium |
| A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | ||||
| CVE-2025-13806 | 1 Nutzam | 1 Nutzboot | 2026-02-24 | 7.3 High |
| A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-4960 | 1 Epson | 1 Epson Printer Controller Installer | 2026-02-24 | 7.8 High |
| The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS’s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system’s authorization database (/var/db/auth.db). These rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials. | ||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 4.6 Medium |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. | ||||
| CVE-2026-2819 | 1 Dromara | 1 Ruoyi-vue-plus | 2026-02-23 | 6.3 Medium |
| A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2026-02-23 | 5.3 Medium |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | ||||
| CVE-2025-14318 | 1 M-files | 2 M-files Server, Server | 2026-02-23 | 4.3 Medium |
| Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled. | ||||
| CVE-2024-11176 | 2026-02-23 | N/A | ||
| Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions. | ||||
| CVE-2026-2208 | 1 Wekan Project | 1 Wekan | 2026-02-23 | 4.3 Medium |
| A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | ||||
| CVE-2026-1897 | 1 Wekan Project | 1 Wekan | 2026-02-23 | 4.3 Medium |
| A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | ||||
| CVE-2026-1734 | 2 Crmeb, Zhongbangkeji | 2 Crmeb, Crmeb | 2026-02-23 | 5.3 Medium |
| A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15406 | 1 Phpgurukul | 1 Online Course Registration | 2026-02-23 | 6.3 Medium |
| A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-20960 | 1 Microsoft | 2 Power Apps, Power Apps Desktop Client | 2026-02-22 | 8 High |
| Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-25890 | 1 Filebrowser | 1 Filebrowser | 2026-02-20 | 8.1 High |
| File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1. | ||||
| CVE-2026-26963 | 1 Cilium | 1 Cilium | 2026-02-20 | 6.1 Medium |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6. | ||||
| CVE-2026-25767 | 2 84codes, Cloudamqp | 2 Lavinmq, Lavinmq | 2026-02-20 | 8.1 High |
| LavinMQ is a high-performance message queue & streaming server. Before 2.6.8, an authenticated user, with the “Policymaker” tag, could create shovels bypassing access controls. an authenticated user with the "Policymaker" management tag could exploit it to read messages from vhosts they are not authorized to access or publish messages to vhosts they are not authorized to access. This vulnerability is fixed in 2.6.8. | ||||
| CVE-2026-26205 | 1 Open-policy-agent | 1 Opa-envoy-plugin | 2026-02-20 | N/A |
| opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue. | ||||
| CVE-2025-48042 | 1 Ash-project | 1 Ash | 2026-02-20 | N/A |
| Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routines 'Elixir.Ash.Actions.Create.Bulk':run/5, 'Elixir.Ash.Actions.Destroy.Bulk':run/6, 'Elixir.Ash.Actions.Update.Bulk:run'/6. This issue affects ash: from pkg:hex/ash before pkg:hex/ash@3.5.39, before 3.5.39, before 5d1b6a5d00771fd468a509778637527b5218be9a. | ||||
| CVE-2025-48043 | 1 Ash-project | 1 Ash | 2026-02-20 | N/A |
| Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from pkg:hex/ash@0 before pkg:hex/ash@3.6.2, before 3.6.2, before 66d81300065b970da0d2f4528354835d2418c7ae. | ||||