CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/21 9:1 p.m.•2 views

CVE-2026-8237

6.3CVSS5.8AI score0.00046EPSS

Exploits0References2Affected Software1

CVE•added 2026/05/21 9:0 p.m.•12 views

CVE-2026-8239

Concrete CMS

6.3CVSS5.8AI score0.00031EPSS

Exploits0References1Affected Software1

CVE•added 2026/05/21 8:59 p.m.•11 views

CVE-2026-8236

Concrete CMS 9.5.0 and earlier is affected by an IDOR flaw due to a missing authentication gate on GET requests to /ccm/system/dialogs/file/usage/{fID}. The endpoint accepts an integer file ID and can disclose internal site structure data (page IDs, versions, URL paths) to unauthenticated users. ...

6.3CVSS5.7AI score0.00089EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/21 1:21 p.m.•33 views

CVE-2025-13479 IDOR in PosCube's QR Menu

Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any w...

7.5CVSS0.00042EPSS

Cvelist•added 2026/05/21 1:26 a.m.•36 views

CVE-2026-1881 Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta

The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the getsponsoredmeta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS0.00009EPSS

EUVD•added 2026/05/21 1:26 a.m.•8 views

EUVD-2026-31206

4.3CVSS5.8AI score0.00009EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•7 views

PT-2026-42561

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An Insecure Direct Object Reference IDOR exists where the '/ccm/frontend/conversations/get rating' endpoint confirms the existence of and returns the rating score for any message by ID. IDOR is ...

6.3CVSS5.8AI score0.00031EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•7 views

PT-2026-42558

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description An Insecure Direct Object Reference IDOR, which occurs when an application provides direct access to objects based on user-supplied input, combined with a missing authentication gate allows...

6.3CVSS5.7AI score0.00089EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•7 views

PT-2026-42554

6.3CVSS5.8AI score0.00027EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•8 views

PT-2026-42391

The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get sponsored meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS5.8AI score0.00009EPSS

CNNVD•added 2026/05/21 12:0 a.m.•7 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities, which stem from IDOR. These vulnerabilities may allow unauthorized parties to access confirmation messages and obtain ratings...

6.3CVSS5.8AI score0.00031EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•7 views

PT-2026-42556

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An Insecure Direct Object Reference IDOR exists in the 'AddMessage' and 'UpdateMessage' conversation controllers. These controllers accept user-supplied file attachment IDs through the attachmen...

2.3CVSS5.8AI score0.00017EPSS

Exploits0References4

OSV•added 2026/05/20 3:46 p.m.•2 views

GHSA-XVP4-PHQJ-CJR3 phpMyFAQ: IDOR Account Takeover

Summary An Insecure Direct Object Reference IDOR vulnerability in phpMyFAQ's Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts userId=1, without authorization verification. An attacker with a low-privilege admin account can...

8.8CVSS5.8AI score0.00044EPSS

Github Security Blog•added 2026/05/20 3:46 p.m.•6 views

phpMyFAQ: IDOR Account Takeover

8.8CVSS5.8AI score0.00044EPSS

Exploits0References2Affected Software2

RedHat Linux•added 2026/05/20 11:23 a.m.•3 views

keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resource Server within the same realm,...

6.8CVSS5.7AI score0.00012EPSS

Exploits0References4

RedHat Linux•added 2026/05/20 11:23 a.m.•10 views

Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update

New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security...

8.1CVSS5.8AI score0.00059EPSS

NVD•added 2026/05/20 7:16 a.m.•4 views

CVE-2026-6566

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

4.3CVSS0.00008EPSS

ATTACKERKB•added 2026/05/20 5:31 a.m.•2 views

CVE-2026-6566

4.3CVSS5.7AI score0.00008EPSS