The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
8,140 vulnerabilities with CWE-862
CVE-2026-44329
CRITICAL
free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
CVSS 10.0
CVE-2026-44328
HIGH
free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
CVSS 8.2
CVE-2026-44327
CRITICAL
free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
CVSS 10.0
CVE-2026-44326
CRITICAL
free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
CVSS 9.4
CVE-2026-44321
HIGH
free5GC: SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
CVSS 7.5
CVE-2026-44320
HIGH
free5GC: NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
CVSS 7.3
CVE-2026-44315
CRITICAL
free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions
CVSS 9.4
CVE-2026-42083
HIGH
free5GC: PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI
CVSS 8.2
CVE-2026-49053
MEDIUM
WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability
CVSS 5.3
CVE-2026-49052
MEDIUM
WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-49051
MEDIUM
WordPress WP Meta and Date Remover plugin <= 2.3.6 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-49047
MEDIUM
WordPress DearFlip plugin <= 2.4.27 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-49045
MEDIUM
WordPress Adminimize plugin <= 1.11.11 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-48973
MEDIUM
WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-31266
HIGH
Craft CMS <= 5.9.5 - Missing Authorization in Migrate Endpoint
CVSS 7.3
CVE-2026-48971
MEDIUM
WordPress Product Import Export for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability
CVSS 4.3
CVE-2026-42753
HIGH
WordPress WCFM Membership plugin <= 2.11.10 - Broken Access Control vulnerability
CVSS 7.3
CVE-2026-42726
MEDIUM
WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability
CVSS 6.5
CVE-2026-3897
MEDIUM
Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization
CVSS 6.4
CVE-2026-3896
MEDIUM
Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVSS 6.4
CVE-2026-3895
MEDIUM
WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVSS 6.4
CVE-2026-3279
MEDIUM
Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade
CVSS 6.5
CVE-2026-9014
MEDIUM
WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action
CVSS 5.3
CVE-2026-9603
MEDIUM
SourceCodester eDoc Doctor Appointment System delete-session.php authorization
CVSS 6.5
CVE-2026-9582
MEDIUM
SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery
CVSS 4.3
Details
Vulnerabilities
8,140
Exploit Likelihood
High