Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

4393 matches found

CVE
CVEadded 2026/03/24 12:57 p.m.18 views

CVE-2026-33484

Langflow exposes an unauthenticated IDOR on image downloads via /api/v1/files/images/{flow_id}/{file_name} in versions 1.0.0–1.8.1. An attacker who can discover or guess a flow_id can download any user’s uploaded images without credentials in multi-tenant deployments. A patch is available in vers...

7.5CVSS5.8AI score0.0005EPSS
Exploits1References1Affected Software1
Cvelist
Cvelistadded 2026/03/23 8:45 p.m.22 views

CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...

6CVSS0.00042EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2026/03/23 8:45 p.m.0 views

CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...

6CVSS5.7AI score0.00042EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2026/03/23 8:30 p.m.4 views

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

6.5CVSS5.8AI score0.00047EPSS
Exploits1References4Affected Software1
OSV
OSVadded 2026/03/23 7:18 p.m.1 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS6.4AI score0.00047EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/03/23 7:18 p.m.6 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00047EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/03/23 7:18 p.m.2 views

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00047EPSS
Exploits1References3Affected Software1
CVE
CVEadded 2026/03/23 7:18 p.m.14 views

CVE-2026-30886

The CVE-2026-30886 entry describes an Insecure Direct Object Reference (IDOR) in the video proxy endpoint GET /v1/videos/:task_id/content of the New API LLM gateway/AI asset manager. Before version 0.11.4-alpha.2, any authenticated user could access video content owned by others due to a missing ...

6.5CVSS5.8AI score0.00047EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2026/03/23 6:16 p.m.1 views

GO-2026-4797 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api...

5.3CVSS5.8AI score0.00013EPSS
Exploits0References2
OSV
OSVadded 2026/03/23 6:16 p.m.1 views

GO-2026-4778 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju...

6.6CVSS5.8AI score0.0006EPSS
Exploits1References3
Patchstack
Patchstackadded 2026/03/23 6:13 p.m.3 views

WordPress REST API TO MiniProgram plugin <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability discovered by WordFence in WordPress Plugin REST API TO MiniProgram versions = 5.1.2...

5.3CVSS5.8AI score0.00058EPSS
Exploits0References1Affected Software1
Cvelist
Cvelistadded 2026/03/23 1:46 p.m.18 views

CVE-2026-33297 AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

WWBN AVideo is an open source video platform. Prior to version 26.0, the setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numer...

5.1CVSS0.00055EPSS
Exploits1References2
Patchstack
Patchstackadded 2026/03/23 12:14 p.m.5 views

WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin LatePoint versions = 5.2.6...

6.5CVSS5.8AI score0.0004EPSS
Exploits0Affected Software1
Patchstack
Patchstackadded 2026/03/23 12:13 p.m.4 views

WordPress JS Help Desk plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Bonds in WordPress Plugin JS Help Desk versions = 3.0.3...

6.5CVSS5.8AI score0.00045EPSS
Exploits0Affected Software1
EUVD
EUVDadded 2026/03/21 6:30 a.m.1 views

EUVD-2026-14186

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00058EPSS
Exploits0References8
NVD
NVDadded 2026/03/21 4:17 a.m.2 views

CVE-2026-3460

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS0.00058EPSS
Exploits0References7
CVE
CVEadded 2026/03/21 3:26 a.m.4 views

CVE-2026-3460

CVE-2026-3460 concerns the REST API TO MiniProgram plugin for WordPress. The vulnerability allows an authenticated user with Subscriber-level access or higher to modify arbitrary users’ store-related metadata (storeinfo, storeappid, storename) via an attacker-controlled userid parameter in the RE...

5.3CVSS5.9AI score0.00058EPSS
Exploits0References7
ATTACKERKB
ATTACKERKBadded 2026/03/21 3:26 a.m.2 views

CVE-2026-3460

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00058EPSS
Exploits0References8
Cvelist
Cvelistadded 2026/03/21 3:26 a.m.25 views

CVE-2026-3460 REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS0.00058EPSS
Exploits0References7
Vulnrichment
Vulnrichmentadded 2026/03/21 3:26 a.m.3 views

CVE-2026-3460 REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00058EPSS
Exploits0References7
Rows per page
Query Builder