Bogdan Rotariu

1 exploit Active since May 2026
CVE-2026-29204 NOMISEC CRITICAL WRITEUP
WHMCS 7.4.0-18.12.1, 18.13.0-18.13.2, 9.0.0-9.0.3 - Authorization Bypass via clientarea.php addonId
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
CVSS 9.1