Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-48592 (GCVE-0-2026-48592)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:46 – Updated: 2026-05-27 15:41
VLAI
Title
Missing authorization check on save-job event handler in oban_web
Summary
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.
The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.
This issue affects oban_web: from 2.12.0 before 2.12.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/oban-bg/oban_web/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48592.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48592 | related |
| https://github.com/oban-bg/oban_web/commit/ab3c5d… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T20:46:44.585227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:46:50.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027"
],
"packageName": "oban_web",
"packageURL": "pkg:hex/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/live/jobs/detail_component.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027:handle_event/3"
}
],
"vendor": "oban-bg",
"versions": [
{
"lessThan": "2.12.5",
"status": "affected",
"version": "2.12.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027"
],
"packageName": "oban-bg/oban_web",
"packageURL": "pkg:github/oban-bg/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/live/jobs/detail_component.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027:handle_event/3"
}
],
"repo": "https://github.com/oban-bg/oban_web.git",
"vendor": "oban-bg",
"versions": [
{
"lessThan": "ab3c5d1d3eba06c62045f16f2cd7781c7752e248",
"status": "affected",
"version": "a17bc8c31286c9d516e2892cf5483d1c95e65d6c",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. \u003ctt\u003e:read_only\u003c/tt\u003e).\u003c/p\u003e"
}
],
"value": "The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. :read_only)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.12.5",
"versionStartIncluding": "2.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Parker Selbert"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in oban-bg oban_web (\u003ctt\u003e\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027\u003c/tt\u003e modules) allows unauthorized job worker substitution.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003ehandle_event(\"save-job\", ...)\u003c/tt\u003e handler in \u003ctt\u003e\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027\u003c/tt\u003e does not perform an authorization check, unlike the sibling \u003ctt\u003ecancel\u003c/tt\u003e, \u003ctt\u003edelete\u003c/tt\u003e, and \u003ctt\u003eretry\u003c/tt\u003e handlers which all verify the caller\u0027s privileges via \u003ctt\u003ecan?/2\u003c/tt\u003e. An authenticated user with \u003ctt\u003e:read_only\u003c/tt\u003e access can push a forged \u003ctt\u003esave-job\u003c/tt\u003e LiveView WebSocket event to overwrite a job\u0027s \u003ctt\u003eworker\u003c/tt\u003e field with any other existing \u003ctt\u003eOban.Worker\u003c/tt\u003e module in the application. On the job\u0027s next execution attempt, Oban will invoke \u003ctt\u003eperform/1\u003c/tt\u003e on the attacker-chosen module instead of the intended one.\u003c/p\u003e\u003cp\u003eThis issue affects oban_web: from 2.12.0 before 2.12.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in oban-bg oban_web (\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027 modules) allows unauthorized job worker substitution.\n\nThe handle_event(\"save-job\", ...) handler in \u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027 does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller\u0027s privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job\u0027s worker field with any other existing Oban.Worker module in the application. On the job\u0027s next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.\n\nThis issue affects oban_web: from 2.12.0 before 2.12.5."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:23.434Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48592.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48592"
},
{
"tags": [
"patch"
],
"url": "https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing authorization check on save-job event handler in oban_web",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48592",
"datePublished": "2026-05-26T19:46:48.611Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-05-27T15:41:23.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48709 (GCVE-0-2026-48709)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:13 – Updated: 2026-06-16 17:12
VLAI
Title
OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration
Summary
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/OliveTin/OliveTin/security/adv… | x_refsource_CONFIRM |
| https://github.com/OliveTin/OliveTin/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48709",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T15:45:30.099199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T17:12:34.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OliveTin",
"vendor": "OliveTin",
"versions": [
{
"status": "affected",
"version": "\u003c 3000.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:13:18.956Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-f637-w7p2-m7fx"
},
{
"name": "https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.13.0"
}
],
"source": {
"advisory": "GHSA-f637-w7p2-m7fx",
"discovery": "UNKNOWN"
},
"title": "OliveTin: ValidateArgumentType API Endpoint Missing Authentication Allows Action and Argument Enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48709",
"datePublished": "2026-06-15T20:13:18.956Z",
"dateReserved": "2026-05-22T18:47:27.755Z",
"dateUpdated": "2026-06-16T17:12:34.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48783 (GCVE-0-2026-48783)
Vulnerability from cvelistv5 – Published: 2026-06-16 21:38 – Updated: 2026-06-17 12:43
VLAI
Title
Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Summary
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gitroomhq/postiz-app/security/… | x_refsource_CONFIRM |
| https://github.com/gitroomhq/postiz-app/commit/23… | x_refsource_MISC |
| https://gadvisory.org/advisories/PSA-2026-WWFR8X | x_refsource_MISC |
| https://github.com/gitroomhq/postiz-app/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gitroomhq | postiz-app |
Affected:
< 2.21.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T12:43:27.137971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T12:43:39.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "postiz-app",
"vendor": "gitroomhq",
"versions": [
{
"status": "affected",
"version": "\u003c 2.21.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token\u0027s claims, without verifying the token\u0027s intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller\u0027s own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan\u0027s limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker\u0027s own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T21:38:00.674Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v4wr-4j8g-4hfj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v4wr-4j8g-4hfj"
},
{
"name": "https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gitroomhq/postiz-app/commit/23696d2973510ae1f3f48bfa41a6bfbbf9827b05"
},
{
"name": "https://gadvisory.org/advisories/PSA-2026-WWFR8X",
"tags": [
"x_refsource_MISC"
],
"url": "https://gadvisory.org/advisories/PSA-2026-WWFR8X"
},
{
"name": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.8"
}
],
"source": {
"advisory": "GHSA-v4wr-4j8g-4hfj",
"discovery": "UNKNOWN"
},
"title": "Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48783",
"datePublished": "2026-06-16T21:38:00.674Z",
"dateReserved": "2026-05-22T20:18:20.365Z",
"dateUpdated": "2026-06-17T12:43:39.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48797 (GCVE-0-2026-48797)
Vulnerability from cvelistv5 – Published: 2026-06-16 23:35 – Updated: 2026-06-18 14:28
VLAI
Title
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Summary
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI." and--share — documented as "expose the UI on a public address; requires --auth." When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 <training-host>) instead of --share for remote access, and audit any host previously launched with --share, re-issuing any HF tokens used during those sessions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mcp-tool-shop-org/backpropagat… | x_refsource_CONFIRM |
| https://github.com/mcp-tool-shop-org/backpropagat… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| mcp-tool-shop-org | backpropagate |
Affected:
>= 1.1.0, < 1.2.0
|
|
| mcp-tool-shop-org | @mcptoolshop/backpropagate |
Affected:
>= 1.1.0, < 1.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T14:28:28.094901Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T14:28:42.997Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "backpropagate",
"vendor": "mcp-tool-shop-org",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.2.0"
}
]
},
{
"product": "@mcptoolshop/backpropagate",
"vendor": "mcp-tool-shop-org",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass \u2014 documented as \"require HTTP Basic authentication on every request to the UI.\" and--share \u2014 documented as \"expose the UI on a public address; requires --auth.\" When --auth user:pass is passed, the CLI prints Auth: enabled (user: \u003cusername\u003e) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port \u2014 local or remote, depending on whether --share is used \u2014 has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: \"For Phase 1 the variable is exported but Reflex doesn\u0027t read it yet.\" This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 \u003ctraining-host\u003e) instead of --share for remote access, and audit any host previously launched with --share, re-issuing any HF tokens used during those sessions."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295: Debug Messages Revealing Unnecessary Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T23:43:44.836Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mcp-tool-shop-org/backpropagate/security/advisories/GHSA-f65r-h4g3-3h9h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mcp-tool-shop-org/backpropagate/security/advisories/GHSA-f65r-h4g3-3h9h"
},
{
"name": "https://github.com/mcp-tool-shop-org/backpropagate/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mcp-tool-shop-org/backpropagate/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-f65r-h4g3-3h9h",
"discovery": "UNKNOWN"
},
"title": "Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48797",
"datePublished": "2026-06-16T23:35:22.373Z",
"dateReserved": "2026-05-22T20:18:20.366Z",
"dateUpdated": "2026-06-18T14:28:42.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48811 (GCVE-0-2026-48811)
Vulnerability from cvelistv5 – Published: 2026-05-29 19:47 – Updated: 2026-06-01 15:15
VLAI
Title
FreeScout: Thread Deletion Bypasses Mailbox Access Revocation
Summary
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.221
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T15:15:00.790272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:15:07.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.221"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free help desk and shared inbox built with PHP\u0027s Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user\u0027s access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:47:46.184Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9vx8-gx3p-9mh6"
}
],
"source": {
"advisory": "GHSA-9vx8-gx3p-9mh6",
"discovery": "UNKNOWN"
},
"title": "FreeScout: Thread Deletion Bypasses Mailbox Access Revocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48811",
"datePublished": "2026-05-29T19:47:46.184Z",
"dateReserved": "2026-05-22T20:57:10.976Z",
"dateUpdated": "2026-06-01T15:15:07.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48835 (GCVE-0-2026-48835)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:18 – Updated: 2026-06-16 14:59
VLAI
Title
WordPress Contact Form by WPForms plugin <= 1.10.0.4 - Broken Access Control vulnerability
Summary
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Awesomemotive | Contact Form by WPForms |
Affected:
n/a , ≤ 1.10.0.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T14:59:38.528182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:59:51.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wpforms-lite",
"product": "Contact Form by WPForms",
"vendor": "Awesomemotive",
"versions": [
{
"changes": [
{
"at": "1.10.0.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.0.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Cyrille COQUARD | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Broken Access Control in Contact Form by WPForms \u003c= 1.10.0.4 versions."
}
],
"value": "Unauthenticated Broken Access Control in Contact Form by WPForms \u003c= 1.10.0.4 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:18:53.544Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/wpforms-lite/vulnerability/wordpress-contact-form-by-wpforms-plugin-1-10-0-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Contact Form by WPForms Plugin to the latest available version (at least 1.10.0.5)."
}
],
"value": "Update the WordPress Contact Form by WPForms Plugin to the latest available version (at least 1.10.0.5)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Contact Form by WPForms plugin \u003c= 1.10.0.4 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-48835",
"datePublished": "2026-06-15T20:18:53.544Z",
"dateReserved": "2026-05-25T14:28:27.466Z",
"dateUpdated": "2026-06-16T14:59:51.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48873 (GCVE-0-2026-48873)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:18 – Updated: 2026-06-16 13:48
VLAI
Title
WordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerability
Summary
Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Montonio | Montonio for WooCommerce |
Affected:
n/a , ≤ 10.1.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T13:47:49.619406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T13:48:33.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "montonio-for-woocommerce",
"product": "Montonio for WooCommerce",
"vendor": "Montonio",
"versions": [
{
"changes": [
{
"at": "10.1.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "10.1.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Niv Kochan | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Broken Access Control in Montonio for WooCommerce \u003c= 10.1.2 versions."
}
],
"value": "Unauthenticated Broken Access Control in Montonio for WooCommerce \u003c= 10.1.2 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:18:58.759Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/montonio-for-woocommerce/vulnerability/wordpress-montonio-for-woocommerce-plugin-10-1-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Montonio for WooCommerce Plugin to the latest available version (at least 10.1.3)."
}
],
"value": "Update the WordPress Montonio for WooCommerce Plugin to the latest available version (at least 10.1.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Montonio for WooCommerce plugin \u003c= 10.1.2 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-48873",
"datePublished": "2026-06-15T20:18:58.759Z",
"dateReserved": "2026-05-25T22:10:00.865Z",
"dateUpdated": "2026-06-16T13:48:33.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4888 (GCVE-0-2026-4888)
Vulnerability from cvelistv5 – Published: 2026-05-27 23:26 – Updated: 2026-05-28 00:29
VLAI
Title
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending
Summary
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpeverest | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder |
Affected:
0 , ≤ 3.4.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T00:29:30.930252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T00:29:40.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey \u0026 Custom Form Builder",
"vendor": "wpeverest",
"versions": [
{
"lessThanOrEqual": "3.4.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey \u0026 Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T23:26:34.619Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bced7df-3e1a-4d7b-9ad0-64be5e18900f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/class-evf-ajax.php#L1174"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-26T12:04:55.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T10:58:29.000Z",
"value": "Disclosed"
}
],
"title": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey \u0026 Custom Form Builder \u003c= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4888",
"datePublished": "2026-05-27T23:26:34.619Z",
"dateReserved": "2026-03-26T11:48:23.396Z",
"dateUpdated": "2026-05-28T00:29:40.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48881 (GCVE-0-2026-48881)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:19 – Updated: 2026-06-16 15:35
VLAI
Title
WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability
Summary
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themetechmount | TrueBooker |
Affected:
n/a , ≤ 1.1.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48881",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T15:34:49.677357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T15:35:19.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "truebooker-appointment-booking",
"product": "TrueBooker",
"vendor": "themetechmount",
"versions": [
{
"changes": [
{
"at": "1.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Vincent Sevkli | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Broken Access Control in TrueBooker \u003c= 1.1.9 versions."
}
],
"value": "Unauthenticated Broken Access Control in TrueBooker \u003c= 1.1.9 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:19:02.008Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress TrueBooker Plugin to the latest available version (at least 1.2.0)."
}
],
"value": "Update the WordPress TrueBooker Plugin to the latest available version (at least 1.2.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress TrueBooker plugin \u003c= 1.1.9 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-48881",
"datePublished": "2026-06-15T20:19:02.008Z",
"dateReserved": "2026-05-25T22:37:16.412Z",
"dateUpdated": "2026-06-16T15:35:19.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48883 (GCVE-0-2026-48883)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:19 – Updated: 2026-06-15 22:27
VLAI
Title
WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability
Summary
Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WPClever | WPC Product Bundles for WooCommerce |
Affected:
n/a , ≤ 8.5.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T22:27:06.637565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T22:27:14.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-product-bundle",
"product": "WPC Product Bundles for WooCommerce",
"vendor": "WPClever",
"versions": [
{
"changes": [
{
"at": "8.5.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.5.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jakub Herman | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce \u003c= 8.5.3 versions."
}
],
"value": "Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce \u003c= 8.5.3 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:19:03.290Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/woo-product-bundle/vulnerability/wordpress-wpc-product-bundles-for-woocommerce-plugin-8-5-3-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WPC Product Bundles for WooCommerce Plugin to the latest available version (at least 8.5.4)."
}
],
"value": "Update the WordPress WPC Product Bundles for WooCommerce Plugin to the latest available version (at least 8.5.4)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPC Product Bundles for WooCommerce plugin \u003c= 8.5.3 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-48883",
"datePublished": "2026-06-15T20:19:03.290Z",
"dateReserved": "2026-05-25T22:37:16.413Z",
"dateUpdated": "2026-06-15T22:27:14.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.