Lucene search
K

4550 matches found

CVE
CVE
added 2026/05/13 7:28 p.m.52 views

CVE-2026-28374

CVE-2026-28374 corresponds to an IDOR in the Annotations API where editors can delete any annotation, including those they lack read access to. The vulnerability allows unprivileged users to delete annotations they should not be able to modify, while editor users cannot create or read annotations...

4.3CVSS5.8AI score0.00198EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/13 5:29 a.m.17 views

CVE-2026-6965

The CVE-2026-6965 entry concerns Tutor LMS

5.3CVSS5.7AI score0.00304EPSS
Exploits0References53
Vulnrichment
Vulnrichment
added 2026/05/13 5:29 a.m.9 views

CVE-2026-6965 Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the getcourseidby function unconditionally trusting the user-supplied course GET parameter as the authoritative course ...

5.3CVSS5.7AI score0.00304EPSS
Exploits0References53
EUVD
EUVD
added 2026/05/13 5:29 a.m.26 views

EUVD-2026-29914

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the getcourseidby function unconditionally trusting the user-supplied course GET parameter as the authoritative course ...

5.3CVSS5.7AI score0.00304EPSS
Exploits0References53
Cvelist
Cvelist
added 2026/05/13 3:26 a.m.34 views

CVE-2025-14755 Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference IDOR in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccbwoocommercepayment AJAX...

5.3CVSS0.00227EPSS
Exploits0References3
CVE
CVE
added 2026/05/13 3:26 a.m.13 views

CVE-2025-14755

The Cost Calculator Builder plugin for WordPress (

5.3CVSS5.8AI score0.00227EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.8 views

PT-2026-40817

Name of the Vulnerable Software and Affected Versions SQLBot versions prior to 1.8.0 Description An Insecure Direct Object Reference IDOR and authorization bypass issue exists in the '/api/v1/datasource/exportDsSchema' and '/api/v1/datasource/uploadDsSchema' endpoints. This allows an attacker to...

8.6CVSS5.8AI score0.00249EPSS
Exploits1References3
Grafana
Grafana
added 2026/05/13 12:0 a.m.8 views

IDOR in Annotations API allows unprivileged users to DELETE annotation

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

4.3CVSS5.8AI score0.00198EPSS
Exploits0
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.11 views

WordPress plugin Tutor LMS 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

5.3CVSS5.8AI score0.00304EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 10:39 p.m.40 views

CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

5.3CVSS0.00239EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 10:39 p.m.19 views

CVE-2026-44341

Summary: CVE-2026-44341 affects the GoJobs REST API (Job Board) and stems from an insecure direct object reference in the job retrieval endpoint. The endpoint allows unauthenticated access by manipulating object identifiers, due to missing authentication and authorization checks. Impact (as state...

5.3CVSS5.8AI score0.00239EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 10:39 p.m.7 views

CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

5.3CVSS5.8AI score0.00239EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/12 6:30 p.m.8 views

EUVD-2023-34492

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.7AI score0.00168EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/12 5:18 p.m.9 views

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion vulnerability

Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Post Deletion vulnerability discovered by molten bit in WordPress Plugin Tutor LMS versions = 3.9.9...

5.3CVSS5.8AI score0.00304EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/05/12 3:7 p.m.11 views

WordPress Checkout Files Upload for WooCommerce plugin <= 2.2.5 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by devploit in WordPress Plugin Checkout Files Upload for WooCommerce versions = 2.2.5...

6.5CVSS5.8AI score0.00273EPSS
Exploits0Affected Software1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.6 views

Mk-Auth 安全漏洞

Mk-Auth is a Brazilian internet service provider management system developed by Mk-Auth company. It is used to control client access and permissions through a network interface panel. Version 23.01K4.9 of MK-Auth contains a security vulnerability caused by insecure direct object references. This...

5.4CVSS5.8AI score0.00168EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.12 views

PT-2026-40048

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.7AI score0.00168EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/12 12:0 a.m.7 views

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.7AI score0.00168EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 12:0 a.m.30 views

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

0.00168EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/11 9:9 p.m.9 views

CVE-2026-43890 Outline: IDOR in subscriptions.create allows cross-tenant subscription on private documents (sibling of GHSA-23jj-rp48-w7q7)

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route...

7.7CVSS5.8AI score0.00205EPSS
Exploits0References1
Rows per page
Query Builder