4393 matches found
CVE-2026-5750
An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...
CVE-2026-5750
CVE-2026-5750 describes an IDOR vulnerability in the Fullstep V5 registration flow. Authenticated users can access data belonging to other registered users via vulnerable endpoints, notably “/api/suppliers/v1/suppliers//false” (listing user information) and “/#/supplier-registration/supplier-regi...
CVE-2026-5750 Insecure direct object reference (IDOR) vulnerability in Fullstep
An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...
CVE-2026-6355
CVE-2026-6355 describes a vulnerability in a web application where unauthorized users can access and manipulate sensitive data across tenants by exploiting insecure direct object references. The root cause is insecure handling of object identifiers that allows cross-tenant access and configuratio...
CVE-2026-6355 CVE-2026-6355
A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration...
Augmentt 安全漏洞
Augmentt is a SaaS management and automation platform developed by Augmentt Inc. in Canada. There is a security vulnerability in Augmentt, which stems from insecure direct object references in web applications. This vulnerability could allow unauthorized users to access and manipulate sensitive...
PT-2026-34333
An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...
CVE-2026-40907
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...
CVE-2026-40907
Summary: WWBN AVideo 29.0 and earlier contains an Insecure Direct Object Reference (IDOR) in the endpoint plugin/Live/view/Live_restreams/list.json.php. This allows any authenticated user with streaming permission to view other users’ live restream configurations, exposing third‑party platform st...
EUVD-2026-24199
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
EUVD-2026-24234
Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload...
CVE-2026-40866
Horilla HRMS (version 1.5.0) contains an insecure direct object reference vulnerability in the employee document upload endpoint. An authenticated user can overwrite, replace, or corrupt another employee’s document by altering the document ID in the upload request, leading to unauthorized modific...
CVE-2026-40866 Horilla: Unauthorized Document Overwrite via File Upload Endpoint
Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload...
EUVD-2026-24231
Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR...
CVE-2026-5652
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
CVE-2026-5652
CVE-2026-5652 affects Crafty Controller’s Users API component, enabling an authenticated remote attacker to perform user modification actions due to improper API permissions validation. Reported CVSS 3.1 base score 9.0 (CRITICAL) with network attack vector, low attack complexity, high confidentia...
CVE-2026-5652
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by Lubin Regnault in WordPress Plugin Salon booking system versions = 10.30.24...
PT-2026-34013
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
PT-2026-34061
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Live restreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...