Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14539 vulnerabilities reference this CWE, most recent first.

CVE-2026-11858 (GCVE-0-2026-11858)

Vulnerability from cvelistv5 – Published: 2026-06-17 11:50 – Updated: 2026-06-17 14:56
VLAI
Title
Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM
Summary
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://r.sec-consult.com/quanos third-party-advisory
Impacted products
Vendor Product Version
Quanos Solutions GmbH SCHEMA ST4 Affected: SCHEMA ST4 on-premises, all versions
Create a notification for this product.
Credits
Johannes Kruchem, SEC Consult Vulnerability Lab
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11858",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T14:56:14.233126Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-17T14:56:22.560Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "SCHEMA ST4",
          "vendor": "Quanos Solutions GmbH",
          "versions": [
            {
              "status": "affected",
              "version": "SCHEMA ST4 on-premises, all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Johannes Kruchem, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
            }
          ],
          "value": "Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-17T11:50:47.666Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/quanos"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\u003cdiv\u003e\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e"
            }
          ],
          "value": "The vendor does not provide a patch. The vendor recommends disabling the affected Client Update Service. Updating the client is then only possible manually with a privileged user account.\n\n\nQuanos confirms that exploitation requires local host access with an authenticated user session. In properly managed environments following the Least Privilege principle, the attack surface is significantly reduced. Quanos Cloud/SaaS deployments are not affected. Quanos considers the migration to the Cloud/SaaS architecture the strategic long-term solution."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Missing authorization in Quanos SCHEMA ST4 Client Update Service allows arbitrary file overwrite as SYSTEM",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
            }
          ],
          "value": "Disable the Client Update Service until a fix is provided. Restrict local interactive access to systems running SCHEMA ST4 on-premises. Apply the principle of least privilege to local user accounts and prevent untrusted users from obtaining local sessions on affected hosts. Ensure that only trusted administrators can perform client updates manually."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2026-11858",
    "datePublished": "2026-06-17T11:50:47.666Z",
    "dateReserved": "2026-06-10T09:08:26.174Z",
    "dateUpdated": "2026-06-17T14:56:22.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11818 (GCVE-0-2026-11818)

Vulnerability from cvelistv5 – Published: 2026-07-10 03:31 – Updated: 2026-07-10 14:25
VLAI
Title
WPCafe <= 3.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via REST API
Summary
The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The only protection on these endpoints is a wp_rest nonce check, which is obtainable by any logged-in user from the frontend page source.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Sushi Com Abacate
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11818",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T14:24:51.466836Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T14:25:01.305Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WPCafe \u2013 Restaurant Menu, Online Food Ordering \u0026 Table Booking System",
          "vendor": "arraytics",
          "versions": [
            {
              "lessThanOrEqual": "3.0.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sushi Com Abacate"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WPCafe \u2013 Restaurant Menu, Online Food Ordering \u0026 Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to list, create, update, delete, clone, and bulk-delete notification flow workflows that are intended to be managed only by administrators. The only protection on these endpoints is a wp_rest nonce check, which is obtainable by any logged-in user from the frontend page source."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T03:31:13.896Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cf2d3bd-359c-4334-ad28-b6b9722edd1c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L82"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L110"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L102"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L74"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.13/vendor/themewinter/email-notification-sdk/src/Flow/FlowAPI.php#L121"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.15/core/email-automation/Service/email-notification.php#L78"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.15/core/email-automation/Service/email-notification.php#L88"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-cafe/tags/3.0.15/core/email-automation/Service/email-notification.php#L119"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-09T17:27:56.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-09T14:47:22.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WPCafe \u003c= 3.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via REST API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11818",
    "datePublished": "2026-07-10T03:31:13.896Z",
    "dateReserved": "2026-06-09T17:11:02.337Z",
    "dateUpdated": "2026-07-10T14:25:01.305Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11807 (GCVE-0-2026-11807)

Vulnerability from cvelistv5 – Published: 2026-06-23 19:40 – Updated: 2026-07-15 02:45
VLAI
Title
Eda-server: websocket missing authorization allows credential theft via activation_id spoofing
Summary
A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8 Unaffected: 0:1.1.19-1.el8ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9 Unaffected: 0:1.1.19-1.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.6 for RHEL 9 Unaffected: 0:1.2.9-2.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.6::el9
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 Unaffected: 1781741251 , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.6 Unaffected: 1781732675 , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.6::el9
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8 Unaffected: 0:1.1.19-1.el8ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
Create a notification for this product.
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9 Unaffected: 0:1.1.19-1.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
Create a notification for this product.
Date Public
2026-06-23 14:27
Credits
This issue was discovered by Chris Meyers (Red Hat, Inc.).
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11807",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T18:22:21.415124Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T18:22:39.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-eda-controller",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:1.1.19-1.el8ap",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-eda-controller",
            "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:1.1.19-1.el9ap",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "automation-eda-controller",
            "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:1.2.9-2.el9ap",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-automation-platform-25/eda-controller-rhel8",
            "product": "Red Hat Ansible Automation Platform 2.5",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781741251",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "ansible-automation-platform-26/eda-controller-rhel9",
            "product": "Red Hat Ansible Automation Platform 2.6",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1781732675",
                "versionType": "rpm"
              }
            ]
          }
        ],
        "datePublic": "2026-06-23T14:27:28.309Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Critical"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T02:45:43.466Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-11807"
          },
          {
            "name": "RHBZ#2487036",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487036"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11807.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28376"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28377"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28497"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:28492"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:28376: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28377: Red Hat Ansible Automation Platform 2.6 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28497: Red Hat Ansible Automation Platform 2.5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:28492: Red Hat Ansible Automation Platform 2.6"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-09T15:42:49.367Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-23T14:27:28.309Z",
            "value": "Made public."
          }
        ],
        "title": "eda-server: websocket missing authorization allows credential theft via activation_id spoofing",
        "workarounds": [
          {
            "lang": "en",
            "value": "The following practices would help for reducing or avoiding the exposure to this flaw:\n\n1) Restrict network access to the EDA websocket endpoint.\n2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
            "cpe:/a:redhat:ansible_automation_platform:2.5::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-eda-controller",
          "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.19-1.el8ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
            "cpe:/a:redhat:ansible_automation_platform:2.5::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-eda-controller",
          "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.19-1.el9ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "automation-eda-controller",
          "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.2.9-2.el9ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-25/eda-controller-rhel8",
          "product": "Red Hat Ansible Automation Platform 2.5",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781741251",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "ansible-automation-platform-26/eda-controller-rhel9",
          "product": "Red Hat Ansible Automation Platform 2.6",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1781732675",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Chris Meyers (Red Hat, Inc.)."
        }
      ],
      "datePublic": "2026-06-23T14:27:28.309Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Critical"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T01:39:13.071Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:28376",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28376"
        },
        {
          "name": "RHSA-2026:28377",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28377"
        },
        {
          "name": "RHSA-2026:28492",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28492"
        },
        {
          "name": "RHSA-2026:28497",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:28497"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-11807"
        },
        {
          "name": "RHBZ#2487036",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487036"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-09T15:42:49.367Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-06-23T14:27:28.309Z",
          "value": "Made public."
        }
      ],
      "title": "Eda-server: websocket missing authorization allows credential theft via activation_id spoofing",
      "workarounds": [
        {
          "lang": "en",
          "value": "The following practices would help for reducing or avoiding the exposure to this flaw:\n\n1) Restrict network access to the EDA websocket endpoint.\n2) Review and limit user accounts with any level of Ansible Automation Platform authentication until the fix is applied."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-862: Missing Authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-11807",
    "datePublished": "2026-06-23T19:40:33.182Z",
    "dateReserved": "2026-06-09T15:41:49.114Z",
    "dateUpdated": "2026-07-15T02:45:43.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11802 (GCVE-0-2026-11802)

Vulnerability from cvelistv5 – Published: 2026-07-14 01:30 – Updated: 2026-07-15 13:39
VLAI
Title
FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action
Summary
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the 'customer' role and receive authentication cookies, even when the site administrator has explicitly disabled user registration.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Eason
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T13:39:46.232625Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T13:39:53.630Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FoodBook Lite \u2013 Online Food Ordering System",
          "vendor": "themelooks",
          "versions": [
            {
              "lessThanOrEqual": "1.5.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Eason"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration() function, accessible via the wp_ajax_nopriv_registration_action AJAX action, lacks any nonce verification or capability check, and does not check the WordPress users_can_register option before calling wp_insert_user(). This makes it possible for unauthenticated attackers to create new user accounts with the \u0027customer\u0027 role and receive authentication cookies, even when the site administrator has explicitly disabled user registration."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T01:30:00.701Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b67557c-785f-433b-8e5b-fcc0bda14892?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L86"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L68"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L21"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.6/inc/class-components-ajax.php#L18"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/class-components-ajax.php#L67-L73"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/class-components-ajax.php#L39"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/foodbook-light-online-food-ordering-system/tags/1.5.7/inc/helper-functions.php#L724-L725"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-13T13:10:51.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "FoodBook Lite \u003c= 1.5.6 - Missing Authorization to Unauthenticated User Registration via \u0027registration_action\u0027 AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11802",
    "datePublished": "2026-07-14T01:30:00.701Z",
    "dateReserved": "2026-06-09T14:53:04.712Z",
    "dateUpdated": "2026-07-15T13:39:53.630Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11773 (GCVE-0-2026-11773)

Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 12:20
VLAI
Title
Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification
Summary
The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
ilinor
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T12:19:37.940286Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T12:20:04.970Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates",
          "vendor": "masteriyo",
          "versions": [
            {
              "lessThanOrEqual": "2.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ilinor"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T06:50:57.531Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5780d762-2313-4c81-be02-99543359d824?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3583519%40learning-management-system\u0026new=3583519%40learning-management-system\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-09T12:11:09.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-26T17:55:05.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Masteriyo LMS \u003c= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11773",
    "datePublished": "2026-06-27T06:50:57.531Z",
    "dateReserved": "2026-06-09T11:55:57.904Z",
    "dateUpdated": "2026-06-29T12:20:04.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11719 (GCVE-0-2026-11719)

Vulnerability from cvelistv5 – Published: 2026-06-18 11:55 – Updated: 2026-06-18 13:53
VLAI
Summary
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
HE WEI(ギカク)(https://www.linkedin.com/in/gikaku/)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11719",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T12:55:43.505312Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T13:53:08.793Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MCP Toolbox for Databases (googleapis/mcp-toolbox)",
          "vendor": "Google",
          "versions": [
            {
              "status": "affected",
              "version": "1.3.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "HE WEI\uff08\u30ae\u30ab\u30af\uff09(https://www.linkedin.com/in/gikaku/)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.\n\nWhile the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler)."
            }
          ],
          "value": "An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.\n\nWhile the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115: Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T11:55:03.666Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/googleapis/mcp-toolbox/pull/3335"
        },
        {
          "url": "https://github.com/googleapis/mcp-toolbox/pull/3049"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2026-11719",
    "datePublished": "2026-06-18T11:55:03.666Z",
    "dateReserved": "2026-06-09T00:53:57.846Z",
    "dateUpdated": "2026-06-18T13:53:08.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11607 (GCVE-0-2026-11607)

Vulnerability from cvelistv5 – Published: 2026-06-09 10:48 – Updated: 2026-07-15 12:46
VLAI
Title
TYPO3 CMS - Broken Access Control in Form Framework
Summary
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
TYPO3 TYPO3 CMS Affected: 0 , < 10.4.57 (semver)
Affected: 11.0.0 , < 11.5.51 (semver)
Affected: 12.0.0 , < 12.4.46 (semver)
Affected: 13.0.0 , < 13.4.31 (semver)
Affected: 14.0.0 , < 14.3.3 (semver)
Create a notification for this product.
Credits
Ethan Oliver Hader
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11607",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T12:53:44.766969Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T12:53:55.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "modules": [
            "Form"
          ],
          "packageName": "typo3/cms-form",
          "product": "TYPO3 CMS",
          "repo": "https://github.com/TYPO3/typo3",
          "vendor": "TYPO3",
          "versions": [
            {
              "lessThan": "10.4.57",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.5.51",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.4.46",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.4.31",
              "status": "affected",
              "version": "13.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.3.3",
              "status": "affected",
              "version": "14.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.4.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "11.5.51",
                  "versionStartIncluding": "11.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "12.4.46",
                  "versionStartIncluding": "12.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "13.4.31",
                  "versionStartIncluding": "13.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "14.3.3",
                  "versionStartIncluding": "14.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ethan"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Oliver Hader"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Backend users with access to the Form Framework were able to use files not ending in \u003ccode\u003e.form.yaml\u003c/code\u003e as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2."
            }
          ],
          "value": "Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T12:46:13.287Z",
        "orgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
        "shortName": "TYPO3"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-019"
        },
        {
          "name": "Git commit of main branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/50974c658f647f1aece347b5d6d5acc3c87f2dca"
        },
        {
          "name": "Git commit of 13.4 branch",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/TYPO3/typo3/commit/040d50d082a01f9e8bd113effd91290a9bb3b69e"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "TYPO3 CMS - Broken Access Control in Form Framework",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f4fb688c-4412-4426-b4b8-421ecf27b14a",
    "assignerShortName": "TYPO3",
    "cveId": "CVE-2026-11607",
    "datePublished": "2026-06-09T10:48:42.477Z",
    "dateReserved": "2026-06-08T15:41:55.470Z",
    "dateUpdated": "2026-07-15T12:46:13.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11600 (GCVE-0-2026-11600)

Vulnerability from cvelistv5 – Published: 2026-07-02 05:35 – Updated: 2026-07-02 15:54
VLAI
Title
Envo's Templates & Widgets for Elementor and WooCommerce <= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget 'templates' Setting
Summary
The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Alessandro Greco (Aleff) Giovanbattista Ianni
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11600",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T14:01:03.986923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T15:54:20.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce",
          "vendor": "envothemes",
          "versions": [
            {
              "lessThanOrEqual": "1.4.26",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alessandro Greco (Aleff)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Giovanbattista Ianni"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget\u0027s template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor\u0027s get_builder_content_for_display() without verifying the referenced post\u0027s status (published/private/draft) or the visitor\u0027s authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content\u0027s ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T05:35:01.383Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26100f1f-3224-486c-b4f9-7086d405a883?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L1268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/off-canvas/widgets/off-canvas.php#L631"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L1268"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/off-canvas/widgets/off-canvas.php#L631"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3578489%40envo-elementor-for-woocommerce\u0026new=3578489%40envo-elementor-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-01T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Envo\u0027s Templates \u0026 Widgets for Elementor and WooCommerce \u003c= 1.4.26 - Missing Authorization to Authenticated (Author+) Private Content Disclosure via Envo Tabs Widget \u0027templates\u0027 Setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11600",
    "datePublished": "2026-07-02T05:35:01.383Z",
    "dateReserved": "2026-06-08T14:54:04.597Z",
    "dateUpdated": "2026-07-02T15:54:20.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11592 (GCVE-0-2026-11592)

Vulnerability from cvelistv5 – Published: 2026-07-02 05:35 – Updated: 2026-07-02 12:37
VLAI
Title
Email Subscribers & Newsletters <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification via ig_es_handle_request AJAX Action
Summary
The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Credits
Dmitrii Ignatyev
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11592",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T12:37:19.605541Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T12:37:28.997Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
          "vendor": "icegram",
          "versions": [
            {
              "lessThanOrEqual": "5.9.27",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dmitrii Ignatyev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T05:35:13.163Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e70691-4de9-4b12-babf-bebe267a780b?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-ig-es-onboarding.php#L171"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-email-subscribers-admin.php#L216"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/classes/class-es-newsletters.php#L717"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/class-email-subscribers-activator.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-ig-es-onboarding.php#L171"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-email-subscribers-admin.php#L216"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/classes/class-es-newsletters.php#L717"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/class-email-subscribers-activator.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584584%40email-subscribers\u0026new=3584584%40email-subscribers\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-08T14:08:40.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-01T17:17:38.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification via ig_es_handle_request AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11592",
    "datePublished": "2026-07-02T05:35:13.163Z",
    "dateReserved": "2026-06-08T13:53:29.969Z",
    "dateUpdated": "2026-07-02T12:37:28.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11398 (GCVE-0-2026-11398)

Vulnerability from cvelistv5 – Published: 2026-07-03 07:53 – Updated: 2026-07-06 12:35
VLAI
Title
LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step
Summary
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
hhhai
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11398",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-06T12:35:34.020052Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T12:35:45.413Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
          "vendor": "latepoint",
          "versions": [
            {
              "lessThanOrEqual": "5.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "hhhai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer\u0027s email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T07:53:10.377Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4dcedcc-2878-47b2-99f0-ecba2cc33b69?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.1/lib/helpers/steps_helper.php#L1980"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.1/lib/helpers/steps_helper.php#L1953"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.1/lib/helpers/steps_helper.php#L1892"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.1/lib/controllers/steps_controller.php#L22"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1980"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1953"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1892"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L22"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3572632%40latepoint\u0026new=3572632%40latepoint\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-05T16:45:30.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-02T19:22:32.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "LatePoint \u003c= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11398",
    "datePublished": "2026-07-03T07:53:10.377Z",
    "dateReserved": "2026-06-05T16:30:18.829Z",
    "dateUpdated": "2026-07-06T12:35:45.413Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.