Lucene search
K

4550 matches found

Patchstack
Patchstack
added 2026/02/06 12:23 a.m.7 views

WordPress Timeline Block plugin <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute vulnerability

Insecure Direct Object Reference to Authenticated Author+ Private Timeline Exposure via Shortcode Attribute vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Timeline Block versions = 1.3.3...

4.3CVSS5.4AI score0.00178EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.6 views

Spree 安全漏洞

Spree is an open-source e-commerce platform developed using Ruby on Rails by a individual developer. Vulnerabilities exist in versions prior to Spree 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. These vulnerabilities stem from insecure direct object references within the checkout process, which could...

8.7CVSS5.8AI score0.00599EPSS
Exploits1References11
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.7 views

Payload 安全漏洞

Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.74.0 have a security vulnerability. This vulnerability stems from an insecure direct object reference within the payload-preferences collection. In environments...

5.4CVSS5.8AI score0.00193EPSS
Exploits0References2
NVD
NVD
added 2026/02/05 10:16 a.m.6 views

CVE-2026-1271

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pmuploadimage' and 'pmuploadcoverimage' AJAX actions. This is due to the updateusermeta function being called outsi...

5.3CVSS0.00315EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/05 9:13 a.m.8 views

CVE-2026-1271 ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pmuploadimage' and 'pmuploadcoverimage' AJAX actions. This is due to the updateusermeta function being called outsi...

5.3CVSS5.4AI score0.00315EPSS
Exploits0References6
CVE
CVE
added 2026/02/05 9:13 a.m.16 views

CVE-2026-1271

The CVE concerns the ProfileGrid – User Profiles, Groups and Communities WordPress plugin. It affects all versions up to 5.9.7.2 and enables Insecure Direct Object Reference via the pm_upload_image and pm_upload_cover_image AJAX actions. The root cause is update_user_meta() being called outside t...

5.3CVSS5.3AI score0.00315EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/02/05 12:0 a.m.7 views

WordPress plugin ProfileGrid 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.3CVSS5.8AI score0.00315EPSS
Exploits0References6
Packet Storm
Packet Storm
added 2026/02/05 12:0 a.m.136 views

📄 Online Admission Software 2.6 Insecure Direct Object Reference

Online Admission Software version 2.6 suffers from an insecure direct object reference vulnerability. ============================================================================================================================================= | Title : Online Admission Software 2.6 IDOR...

5.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/02/04 1:20 p.m.6 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.6AI score0.00366EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/04 1:20 p.m.5 views

CVE-2026-0909

The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the wpulikedeletehistoryapi AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for...

5.3CVSS5.5AI score0.00338EPSS
Exploits0References1
NVD
NVD
added 2026/02/03 6:16 p.m.10 views

CVE-2026-24773

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS0.00352EPSS
Exploits1References1
EUVD
EUVD
added 2026/02/03 4:57 p.m.6 views

EUVD-2026-5232

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS5.4AI score0.00352EPSS
Exploits1References1
CVE
CVE
added 2026/02/03 4:57 p.m.11 views

CVE-2026-24773

The Open eClass platform (formerly GUnet eClass) before version 4.2 is affected by an Insecure Direct Object Reference (IDOR) that allows unauthenticated remote attackers to access other users’ personal files by requesting predictable user identifiers. Root cause: insufficient authorization check...

7.5CVSS5.4AI score0.00352EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/02/03 4:57 p.m.31 views

CVE-2026-24773 Open eClass Unauthenticated IDOR Allows Access to Arbitrary User Files

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS0.00352EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/02/03 4:57 p.m.4 views

CVE-2026-24773

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS5.4AI score0.00352EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 4:57 p.m.6 views

CVE-2026-24773 Open eClass Unauthenticated IDOR Allows Access to Arbitrary User Files

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS5.4AI score0.00352EPSS
Exploits1References1
OSV
OSV
added 2026/02/03 4:57 p.m.4 views

CVE-2026-24773 Open eClass Unauthenticated IDOR Allows Access to Arbitrary User Files

The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference IDOR vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user...

7.5CVSS5.5AI score0.00352EPSS
Exploits1References3
CVE
CVE
added 2026/02/03 2:8 p.m.9 views

CVE-2026-24991

CVE-2026-24991 affects WordPress plugin Extensions For CF7 (versions up to 3.4.0). It is an Insecure Direct Object References (IDOR) / authorization bypass vulnerability caused by a user-controlled key, enabling unauthorized access to objects. Remediation: update to a version later than 3.4.0 (pa...

5.3CVSS5.3AI score0.00203EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/03 2:8 p.m.27 views

CVE-2026-24991 WordPress Extensions For CF7 plugin <= 3.4.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through = 3.4.0...

5.3CVSS0.00203EPSS
Exploits0References1
OSV
OSV
added 2026/02/03 12:16 p.m.3 views

CVE-2026-1664

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.9AI score0.00366EPSS
Exploits0References1
Rows per page
Query Builder