High
CVSS: 8.8
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it…
Critical
CVSS: 9.4
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend…
Medium
CVSS: 5.5
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. An app may be able to access sensitive user data.
High
CVSS: 7.5
Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file pa…
High
CVSS: 7.1
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sen…
Medium
CVSS: 6.8
Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack…
Critical
CVSS: 10.0
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API…
Critical
CVSS: 10.0
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by pr…
Medium
CVSS: 5.3
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the code evaluation endpoint does not validate the assessment lifecycle state before allowing execution. There is no check to ensure that the…
Medium
CVSS: 5.3
Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user w…
High
CVSS: 8.8
Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gai…
Medium
CVSS: 5.9
The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be a…
Critical
CVSS: 9.3
Azure Entra ID Elevation of Privilege Vulnerability
High
CVSS: 8.2
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. O…
Medium
CVSS: 6.5
HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers o…
Medium
CVSS: 5.3
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's R…
High
CVSS: 8.0
Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
Critical
CVSS: 9.1
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the containe…
Medium
CVSS: 5.7
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM per…
Medium
CVSS: 5.1
A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31.