Total
6608 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25538 | 1 Devtron | 1 Devtron | 2026-02-11 | N/A | 8.8 HIGH |
| Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. | |||||
| CVE-2026-2208 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | |||||
| CVE-2026-24777 | 1 Openproject | 1 Openproject | 2026-02-11 | N/A | 6.7 MEDIUM |
| OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2. | |||||
| CVE-2025-13391 | 2026-02-11 | N/A | 5.8 MEDIUM | ||
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60. | |||||
| CVE-2025-15400 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
| The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality. | |||||
| CVE-2025-15524 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
| The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs. | |||||
| CVE-2026-1786 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
| The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu. | |||||
| CVE-2026-1833 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
| The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators. | |||||
| CVE-2026-1748 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
| The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails. | |||||
| CVE-2026-25609 | 2026-02-10 | N/A | 5.4 MEDIUM | ||
| Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only. | |||||
| CVE-2026-0817 | 1 Wikimedia | 1 Campaignevents | 2026-02-10 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | |||||
| CVE-2026-1897 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | |||||
| CVE-2025-15289 | 1 Tanium | 1 Interact | 2026-02-10 | N/A | 3.1 LOW |
| Tanium addressed an improper access controls vulnerability in Interact. | |||||
| CVE-2025-15330 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 8.8 HIGH |
| Tanium addressed an improper input validation vulnerability in Deploy. | |||||
| CVE-2025-15327 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Deploy. | |||||
| CVE-2025-15326 | 1 Tanium | 1 Patch | 2026-02-10 | N/A | 4.3 MEDIUM |
| Tanium addressed an improper access controls vulnerability in Patch. | |||||
| CVE-2026-1722 | 2026-02-10 | N/A | 5.3 MEDIUM | ||
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings. | |||||
| CVE-2026-25808 | 2026-02-10 | N/A | 7.5 HIGH | ||
| Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2. | |||||
| CVE-2026-0845 | 2026-02-10 | N/A | 7.2 HIGH | ||
| The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2025-14895 | 2026-02-10 | N/A | 5.4 MEDIUM | ||
| The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics. | |||||