Total
7679 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0509 | 2 Sap, Sap Se | 4 Netweaver As Abap Kernel, Netweaver As Abap Krnl64nuc, Netweaver As Abap Krnl64uc and 1 more | 2026-02-17 | 9.6 Critical |
| SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application. | ||||
| CVE-2026-23681 | 2 Sap, Sap Se | 2 Solution Tools Plug-in, Sap Support Tools Plug-in | 2026-02-17 | 4.3 Medium |
| Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability. | ||||
| CVE-2026-23688 | 2 Sap, Sap Se | 2 S4core, Sap Fiori App (manage Service Entry Sheets - Lean Services) | 2026-02-17 | 4.3 Medium |
| SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted. | ||||
| CVE-2026-24312 | 1 Sap | 2 Business Workflow, Sap Basis | 2026-02-17 | 5.2 Medium |
| An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact on availability of the application. | ||||
| CVE-2026-24322 | 2 Sap, Sap Se | 2 Solution Tools Plug-in, Sap Solution Tools Plug-in (st-pi) | 2026-02-17 | 7.7 High |
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. | ||||
| CVE-2026-24326 | 2 Sap, Sap Se | 2 S\/4hana Defense \& Security, Sap S/4hana Defense & Security (disconnected Operations) | 2026-02-17 | 4.3 Medium |
| Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. | ||||
| CVE-2026-24327 | 2 Sap, Sap Se | 2 Strategic Enterprise Management, Sap Strategic Enterprise Management (balanced Scorecard In Bsp Application) | 2026-02-17 | 4.3 Medium |
| Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. | ||||
| CVE-2025-67737 | 1 Azuracast | 1 Azuracast | 2026-02-17 | 3.1 Low |
| AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2. | ||||
| CVE-2026-25531 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 4.3 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2025-30398 | 1 Microsoft | 3 Nuance Powerscribe, Nuance Powerscribe 360, Nuance Powerscribe One | 2026-02-13 | 8.1 High |
| Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-25939 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | 9.1 Critical |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11. | ||||
| CVE-2025-49723 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-02-13 | 8.8 High |
| Missing authorization in Windows StateRepository API allows an authorized attacker to perform tampering locally. | ||||
| CVE-2025-50171 | 1 Microsoft | 12 Server, Windows, Windows 10 21h2 and 9 more | 2026-02-13 | 9.1 Critical |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-14592 | 1 Gitlab | 1 Gitlab | 2026-02-13 | 3.7 Low |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. | ||||
| CVE-2026-21743 | 1 Fortinet | 1 Fortiauthenticator | 2026-02-12 | 6.8 Medium |
| A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint. | ||||
| CVE-2026-25806 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 6.5 Medium |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete the target student. | ||||
| CVE-2026-25810 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 9.1 Critical |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). | ||||
| CVE-2026-25876 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 9.1 Critical |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment. | ||||
| CVE-2025-70983 | 2 Bladex, Springblade Project | 2 Springblade, Springblade | 2026-02-11 | 9.9 Critical |
| Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | ||||
| CVE-2025-52024 | 1 Aptsys | 2 Gemscms Backend, Pos Platform Web Services | 2026-02-11 | 9.4 Critical |
| A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | ||||