Search Vulnerabilities

WeKan < 8.35 Missing Authorization via Integration REST API

RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion

CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php

Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests

TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' A...

aEnrich｜a+HRD - Missing Authorization

Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Decidim's comments API allows access to all commentable resources

FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments

FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply

FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII

Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions

Neko has Self-service Privilege Escalation for Authenticated Users

OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint

OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private option disclosure and file-disclosure variant

Vexa's unauthenticated internal transcript endpoint exposed by default

ComfyUI server.py create_origin_only_middleware cross-site request forgery

Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true