Monthly
Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.
OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.
Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.
Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.
OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.
Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.