Total
1425 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28225 | 1 Manyfold | 1 Manyfold | 2026-02-27 | N/A | 5.3 MEDIUM |
| Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue. | |||||
| CVE-2026-28216 | 1 Hoppscotch | 1 Hoppscotch | 2026-02-27 | N/A | 8.3 HIGH |
| hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue. | |||||
| CVE-2026-28217 | 1 Hoppscotch | 1 Hoppscotch | 2026-02-27 | N/A | 6.5 MEDIUM |
| hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue. | |||||
| CVE-2026-27943 | 1 Open-emr | 1 Openemr | 2026-02-27 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository. | |||||
| CVE-2026-25220 | 1 Open-emr | 1 Openemr | 2026-02-27 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue. | |||||
| CVE-2026-25927 | 1 Open-emr | 1 Openemr | 2026-02-27 | N/A | 7.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue. | |||||
| CVE-2026-25929 | 1 Open-emr | 1 Openemr | 2026-02-27 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access that patient. An authenticated user with document ACL can supply another patient’s ID and retrieve their photo. Version 8.0.0 fixes the issue. | |||||
| CVE-2026-25930 | 1 Open-emr | 1 Openemr | 2026-02-27 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue. | |||||
| CVE-2026-1558 | 2026-02-27 | N/A | 5.3 MEDIUM | ||
| The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter. | |||||
| CVE-2026-27449 | 2026-02-27 | N/A | 7.5 HIGH | ||
| Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying a user-controlled identifier parameter (e.g., ?id=), an attacker can retrieve sensitive data associated with arbitrary records. Because no access control validation is performed, the endpoints are vulnerable to enumeration attacks, allowing attackers to iterate over identifiers and extract data at scale. An unauthenticated attacker can retrieve sensitive Engage-related data by directly querying the affected API endpoints. The vulnerability allows arbitrary record access through predictable or enumerable identifiers. The confidentiality impact is considered high. No direct integrity or availability impact has been identified. The scope of exposed data depends on the deployment but may include analytics data, tracking data, customer-related information, or other Engage-managed content. The vulnerability affects both v16 and v17. Patches have already been released. Users are advised to update to 16.2.1 or 17.1.1. No known workarounds are available. | |||||
| CVE-2025-70063 | 1 Phpgurukul | 1 Hospital Management System | 2026-02-26 | N/A | 6.5 MEDIUM |
| The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference (IDOR) vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the confidential medical records of other patients by iterating the 'viewid' integer. | |||||
| CVE-2025-70833 | 1 Lkw199711 | 1 Smanga | 2026-02-26 | N/A | 9.4 CRITICAL |
| An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php. | |||||
| CVE-2026-2697 | 1 Tenable | 1 Security Center | 2026-02-26 | N/A | 6.3 MEDIUM |
| An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter. | |||||
| CVE-2026-2698 | 1 Tenable | 1 Security Center | 2026-02-26 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope. | |||||
| CVE-2026-3185 | 1 Szadmin | 1 Sz-boot-parent | 2026-02-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves." | |||||
| CVE-2025-15582 | 1 Detronetdip | 1 E-commerce | 2026-02-26 | 5.5 MEDIUM | 5.4 MEDIUM |
| A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-68514 | 2026-02-25 | N/A | 6.5 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8. | |||||
| CVE-2025-68051 | 2026-02-25 | N/A | 7.4 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8. | |||||
| CVE-2023-46446 | 1 Asyncssh Project | 1 Asyncssh | 2026-02-25 | N/A | 6.8 MEDIUM |
| An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | |||||
| CVE-2023-36483 | 1 Honeywell | 2 Masmobile Asp.net Services, Masmobile Classic | 2026-02-25 | N/A | 6.5 MEDIUM |
| Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data including customer data, security system status, and event history. | |||||