Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3235 vulnerabilities reference this CWE, most recent first.

CVE-2025-14881 (GCVE-0-2025-14881)

Vulnerability from cvelistv5 – Published: 2025-12-19 12:24 – Updated: 2025-12-19 12:58
VLAI
Title
Insecure direct object reference
Summary
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
pretix pretix Affected: 1.0.0 , < 2025.8.0 (python)
Affected: 2025.8.0 , < 2025.9.0 (python)
Affected: 2025.9.0 , < 2025.10.0 (python)
Affected: 2025.10.0 , < 2025.11.0 (python)
Create a notification for this product.
Credits
Deniz Parlak (https://github.com/DenizParlak)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14881",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-19T12:58:00.895498Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-19T12:58:15.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/",
          "defaultStatus": "unaffected",
          "packageName": "pretix",
          "product": "pretix",
          "repo": "https://github.com/pretix/pretix",
          "vendor": "pretix",
          "versions": [
            {
              "lessThan": "2025.8.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2025.8.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2025.9.0",
              "status": "affected",
              "version": "2025.8.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2025.9.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2025.10.0",
              "status": "affected",
              "version": "2025.9.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2025.10.1",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2025.11.0",
              "status": "affected",
              "version": "2025.10.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Deniz Parlak (https://github.com/DenizParlak)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
            }
          ],
          "value": "Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-19T12:24:10.523Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pretix.eu/about/en/blog/20251218-release-2025-10-1/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insecure direct object reference",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2025-14881",
    "datePublished": "2025-12-19T12:24:10.523Z",
    "dateReserved": "2025-12-18T11:48:11.819Z",
    "dateUpdated": "2025-12-19T12:58:15.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14844 (GCVE-0-2025-14844)

Vulnerability from cvelistv5 – Published: 2026-01-16 09:23 – Updated: 2026-04-08 16:35
VLAI
Title
Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure
Summary
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
stellarwp Membership Plugin – Restrict Content Affected: 0 , ≤ 3.2.16 (semver)
Create a notification for this product.
Credits
andrea bocchetti
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14844",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-16T12:48:39.518455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-16T12:50:27.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Membership Plugin \u2013 Restrict Content",
          "vendor": "stellarwp",
          "versions": [
            {
              "lessThanOrEqual": "3.2.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "andrea bocchetti"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Membership Plugin \u2013 Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the \u0027rcp_stripe_create_setup_intent_for_saved_card\u0027 function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:35:02.041Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987"
        },
        {
          "url": "https://docs.stripe.com/api/setup_intents/object"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/639.html"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-17T18:50:59.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-01-15T20:39:14.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Membership Plugin \u2013 Restrict Content \u003c= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14844",
    "datePublished": "2026-01-16T09:23:46.932Z",
    "dateReserved": "2025-12-17T18:34:48.898Z",
    "dateUpdated": "2026-04-08T16:35:02.041Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14802 (GCVE-0-2025-14802)

Vulnerability from cvelistv5 – Published: 2026-01-07 07:17 – Updated: 2026-04-08 17:05
VLAI
Title
LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion
Summary
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Deniz Mert
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-07T14:50:45.348178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T16:13:20.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
          "vendor": "thimpress",
          "versions": [
            {
              "lessThanOrEqual": "4.3.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Deniz Mert"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher\u0027s file_id."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:05:15.500Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-16T21:05:46.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-01-06T18:42:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "LearnPress \u2013 WordPress LMS Plugin \u003c= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14802",
    "datePublished": "2026-01-07T07:17:33.170Z",
    "dateReserved": "2025-12-16T20:58:27.037Z",
    "dateUpdated": "2026-04-08T17:05:15.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14772 (GCVE-0-2025-14772)

Vulnerability from cvelistv5 – Published: 2026-06-03 09:25 – Updated: 2026-06-03 12:49
VLAI
Title
Broken Access Control in ABB T-MAC Plus web application
Summary
Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
ABB
Impacted products
Vendor Product Version
ABB T-MAC Plus Affected: 4.0-24
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14772",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T12:47:39.611706Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T12:49:14.950Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "T-MAC Plus",
          "vendor": "ABB",
          "versions": [
            {
              "status": "affected",
              "version": "4.0-24"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus.\u003cp\u003eThis issue affects T-MAC Plus: 4.0-24.\u003c/p\u003e"
            }
          ],
          "value": "Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus.\n\nThis issue affects T-MAC Plus: 4.0-24."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-03T09:25:56.511Z",
        "orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
        "shortName": "ABB"
      },
      "references": [
        {
          "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Broken Access Control in ABB T-MAC Plus web application",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
    "assignerShortName": "ABB",
    "cveId": "CVE-2025-14772",
    "datePublished": "2026-06-03T09:25:56.511Z",
    "dateReserved": "2025-12-16T03:47:13.359Z",
    "dateUpdated": "2026-06-03T12:49:14.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14742 (GCVE-0-2025-14742)

Vulnerability from cvelistv5 – Published: 2026-02-25 09:26 – Updated: 2026-04-08 16:36
VLAI
Title
WP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
brechtvds WP Recipe Maker Affected: 0 , ≤ 10.2.3 (semver)
Create a notification for this product.
Credits
Abhinav Jaswal
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14742",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T16:33:34.211437Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T16:33:45.643Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WP Recipe Maker",
          "vendor": "brechtvds",
          "versions": [
            {
              "lessThanOrEqual": "10.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abhinav Jaswal"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027ajax_search_recipes\u0027 and \u0027ajax_get_recipe\u0027 functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn\u0027t be able to access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:36:07.011Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10c17e74-dced-483e-bcaf-00ff5b11059c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L47"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L46"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L161"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L301"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3440361/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-15T19:25:38.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-24T21:09:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "WP Recipe Maker \u003c= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14742",
    "datePublished": "2026-02-25T09:26:50.441Z",
    "dateReserved": "2025-12-15T19:09:55.527Z",
    "dateUpdated": "2026-04-08T16:36:07.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14594 (GCVE-0-2025-14594)

Vulnerability from cvelistv5 – Published: 2026-02-11 11:34 – Updated: 2026-02-11 15:17
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
URL Tags
https://gitlab.com/gitlab-org/gitlab/-/issues/583967 issue-trackingpermissions-required
https://hackerone.com/reports/3457591 technical-descriptionexploitpermissions-required
https://about.gitlab.com/releases/2026/02/10/patc…
Impacted products
Vendor Product Version
GitLab GitLab Affected: 17.11 , < 18.6.6 (semver)
Affected: 18.7 , < 18.7.4 (semver)
Affected: 18.8 , < 18.8.4 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [sndd](https://hackerone.com/sndd) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14594",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:17:08.503125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:17:25.802Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.6.6",
              "status": "affected",
              "version": "17.11",
              "versionType": "semver"
            },
            {
              "lessThan": "18.7.4",
              "status": "affected",
              "version": "18.7",
              "versionType": "semver"
            },
            {
              "lessThan": "18.8.4",
              "status": "affected",
              "version": "18.8",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [sndd](https://hackerone.com/sndd) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-11T11:34:06.815Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #583967",
          "tags": [
            "issue-tracking",
            "permissions-required"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/583967"
        },
        {
          "name": "HackerOne Bug Bounty Report #3457591",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3457591"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above."
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2025-14594",
    "datePublished": "2026-02-11T11:34:06.815Z",
    "dateReserved": "2025-12-12T16:33:35.449Z",
    "dateUpdated": "2026-02-11T15:17:25.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14459 (GCVE-0-2025-14459)

Vulnerability from cvelistv5 – Published: 2026-01-26 19:36 – Updated: 2026-07-15 01:27
VLAI
Title
Virt-cdi-controller: unauthorized pvc cloning via dataimportcron
Summary
A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-5 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-4 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-3 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17.rhel9-82 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-7 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-6 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-85 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-9 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-11 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-19 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-88 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-8 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat RHEL-9-CNV-4.19 Unaffected: v4.19.17-12 , < * (rpm)
    cpe:/a:redhat:container_native_virtualization:4.19::el9
Create a notification for this product.
Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
Create a notification for this product.
Date Public
2026-01-08 10:10
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14459",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-26T21:01:20.724005Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-26T21:01:36.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/aaq-controller-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/aaq-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/aaq-server-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/bridge-marker-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/cluster-network-addons-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/cnv-containernetworking-plugins-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/cnv-must-gather-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-3",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hco-bundle-registry-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17.rhel9-82",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hostpath-csi-driver-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hostpath-provisioner-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hostpath-provisioner-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hyperconverged-cluster-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/hyperconverged-cluster-webhook-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubemacpool-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubesecondarydns-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-apiserver-proxy-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-6",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-common-instancetypes-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-console-plugin-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-85",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-dpdk-checkup-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-ipam-controller-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-realtime-checkup-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-ssp-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-storage-checkup-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-11",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/kubevirt-template-validator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/libguestfs-tools-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/multus-dynamic-networks-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/ocp-virt-validation-checkup-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-19",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/ovs-cni-plugin-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/passt-network-binding-plugin-cni-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/pr-helper-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/sidecar-shim-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-88",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-api-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-artifacts-server-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-apiserver-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-cloner-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-controller-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-importer-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-uploadproxy-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-cdi-uploadserver-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-controller-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportproxy-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-exportserver-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-handler-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virtio-win-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-4",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-launcher-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/virt-operator-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-12",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/vm-console-proxy-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/vm-network-latency-checkup-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4.19::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "container-native-virtualization/wasp-agent-rhel9",
            "product": "RHEL-9-CNV-4.19",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "v4.19.17-5",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:container_native_virtualization:4"
            ],
            "defaultStatus": "unaffected",
            "packageName": "container-native-virtualization/virt-cdi-controller",
            "product": "Red Hat OpenShift Virtualization 4",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-01-08T10:10:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-639",
                "description": "Authorization Bypass Through User-Controlled Key",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:27:15.318Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2025-14459"
          },
          {
            "name": "RHBZ#2420938",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420938"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14459.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:0950"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:0950: CNV 4.19 for RHEL 9"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-12-10T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-01-08T10:10:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "virt-cdi-controller: Unauthorized PVC Cloning via DataImportCron",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/aaq-controller-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/aaq-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/aaq-server-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/bridge-marker-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/cluster-network-addons-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/cnv-containernetworking-plugins-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/cnv-must-gather-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hco-bundle-registry-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17.rhel9-82",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hostpath-csi-driver-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hostpath-provisioner-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hostpath-provisioner-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hyperconverged-cluster-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/hyperconverged-cluster-webhook-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubemacpool-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubesecondarydns-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-api-lifecycle-automation-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-apiserver-proxy-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-common-instancetypes-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-console-plugin-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-85",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-dpdk-checkup-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-ipam-controller-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-realtime-checkup-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-ssp-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-storage-checkup-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-11",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/kubevirt-template-validator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/libguestfs-tools-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/multus-dynamic-networks-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/ocp-virt-validation-checkup-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-19",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/ovs-cni-plugin-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/passt-network-binding-plugin-cni-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/pr-helper-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/sidecar-shim-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-88",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-api-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-artifacts-server-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-apiserver-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-cloner-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-controller-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-importer-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-uploadproxy-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-cdi-uploadserver-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-controller-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportproxy-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-exportserver-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-handler-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virtio-win-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-launcher-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/virt-operator-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-12",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/vm-console-proxy-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/vm-network-latency-checkup-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4.19::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "container-native-virtualization/wasp-agent-rhel9",
          "product": "RHEL-9-CNV-4.19",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "v4.19.17-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:container_native_virtualization:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "container-native-virtualization/virt-cdi-controller",
          "product": "Red Hat OpenShift Virtualization 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-01-08T10:10:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T19:36:29.709Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2026:0950",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2026:0950"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-14459"
        },
        {
          "name": "RHBZ#2420938",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420938"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-10T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-01-08T10:10:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Virt-cdi-controller: unauthorized pvc cloning via dataimportcron",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-14459",
    "datePublished": "2026-01-26T19:36:29.709Z",
    "dateReserved": "2025-12-10T15:18:02.606Z",
    "dateUpdated": "2026-07-15T01:27:15.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14356 (GCVE-0-2025-14356)

Vulnerability from cvelistv5 – Published: 2025-12-12 06:32 – Updated: 2026-04-08 16:47
VLAI
Title
Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF
Summary
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
themefic Ultra Addons for Contact Form 7 Affected: 0 , ≤ 3.5.33 (semver)
Create a notification for this product.
Credits
Angus Girvan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14356",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-12T20:30:30.463601Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-12T20:30:42.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ultra Addons for Contact Form 7",
          "vendor": "themefic",
          "versions": [
            {
              "lessThanOrEqual": "3.5.33",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Angus Girvan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027uacf7_get_generated_pdf\u0027 function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the \"PDF Generator\" and the \"Database\" addons are enabled (disabled by default)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:47:07.182Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3af9ece0-1556-4457-87ee-343daec5e74f?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L316"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L321"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L341"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L53"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3417590/ultimate-addons-for-contact-form-7"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-10T12:25:01.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-11T17:40:29.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Ultra Addons for Contact Form 7 \u003c= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14356",
    "datePublished": "2025-12-12T06:32:57.656Z",
    "dateReserved": "2025-12-09T16:40:32.811Z",
    "dateUpdated": "2026-04-08T16:47:07.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14101 (GCVE-0-2025-14101)

Vulnerability from cvelistv5 – Published: 2025-12-17 09:11 – Updated: 2026-06-04 06:28
VLAI
Title
IDOR in GG Soft's PaperWork
Summary
Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers. This issue affects PaperWork: from 5.2.0.9427 before 6.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Vendor Product Version
GG Soft Software Services Inc. PaperWork Affected: 5.2.0.9427 , < 6.0 (custom)
Create a notification for this product.
Date Public
2025-12-17 09:06
Credits
Furkan YILDIZ Fatih KIRDAR
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14101",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-17T18:05:22.207292Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-17T18:36:19.785Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PaperWork",
          "vendor": "GG Soft Software Services Inc.",
          "versions": [
            {
              "lessThan": "6.0",
              "status": "affected",
              "version": "5.2.0.9427",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Furkan YILDIZ"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Fatih KIRDAR"
        }
      ],
      "datePublic": "2025-12-17T09:06:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.\u003cp\u003eThis issue affects PaperWork: from 5.2.0.9427 before 6.0.\u003c/p\u003e"
            }
          ],
          "value": "Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.\n\nThis issue affects PaperWork: from 5.2.0.9427 before 6.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T06:28:35.866Z",
        "orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
        "shortName": "TR-CERT"
      },
      "references": [
        {
          "tags": [
            "government-resource",
            "broken-link"
          ],
          "url": "https://www.usom.gov.tr/bildirim/tr-25-0464"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0464"
        }
      ],
      "source": {
        "advisory": "TR-25-0464",
        "defect": [
          "TR-25-0464"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "IDOR in GG Soft\u0027s PaperWork",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
    "assignerShortName": "TR-CERT",
    "cveId": "CVE-2025-14101",
    "datePublished": "2025-12-17T09:11:33.139Z",
    "dateReserved": "2025-12-05T13:53:58.531Z",
    "dateUpdated": "2026-06-04T06:28:35.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14033 (GCVE-0-2025-14033)

Vulnerability from cvelistv5 – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20
VLAI
Title
ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Summary
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any support ticket content, including sensitive customer information and private communications, by providing a ticket ID.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
ghera74 ilGhera Support System for WooCommerce Affected: 0 , ≤ 1.3.0 (semver)
Create a notification for this product.
Credits
Md. Moniruzzaman Prodhan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14033",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T10:06:16.530436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T10:20:56.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ilGhera Support System for WooCommerce",
          "vendor": "ghera74",
          "versions": [
            {
              "lessThanOrEqual": "1.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_ticket_content_callback\u0027 function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any support ticket content, including sensitive customer information and private communications, by providing a ticket ID."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T05:29:36.689Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40ceea17-ec60-4775-8495-e2f7643d1b7c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L68"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L68"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L643"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L643"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.3.1/includes/class-wc-support-system.php#L780"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-12T18:27:32.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-12T17:11:52.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "ilGhera Support System for WooCommerce \u003c= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14033",
    "datePublished": "2026-05-13T05:29:36.689Z",
    "dateReserved": "2025-12-04T14:59:13.237Z",
    "dateUpdated": "2026-05-13T10:20:56.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.