Security Bulletin: Langflow OSS Unauthenticated IDOR on Image Downloads

Summary Langflow OSS versions 1.0.0 - 1.8.4 are affected by an insecure direct object reference vulnerability in the image download endpoint due to missing authentication and authorization checks. The images endpoint serves image files without verifying user identity or ownership. An user who get...

CVE-2026-44976

CVE-2026-44976 affects the Frappe web framework. The vulnerability is described as an IDOR in the “update_onboarding_step” function, allowing any user to modify any field in any Onboarding Step record prior to version 16.17.4. The issue is explicitly patched in version 16.17.4. The available conn...

CVE-2026-44207 Frappe: Insecure Direct Object Reference for email accounts

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0...

CVE-2026-44208

CVE-2026-44208 affects the Frappe framework (full-stack web app). A lack of input/permission validations in the submit_discussion() endpoint allows unauthorized access to resources (IDOR) in affected builds. The issue is fixed in versions 15.107.0 and 16.17.0; prior releases were vulnerable. No e...

Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference

Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3. id: CVE-2024-33939 info: name: Masteriyo LMS = 1.7.3 - Insecure Direct Object Reference author:...

Danswer - Insecure Direct Object Reference

The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/fileid interface to view any user's file. id: CVE-2024-9617 info: name: Danswer - Insecure Direct Object Reference author: s4e-io severity: medium...

PT-2026-48890

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0...

CVE-2026-8406

openSIS Classic 9.3 is affected by an insecure direct object reference in the messaging module. An authenticated user with access to messaging can request details of sent messages by supplying an arbitrary mail_id to modules/messaging/SentMail.php, exposing potentially sensitive information. No e...

CVE-2026-8406 openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail

openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mailid value...

CVE-2026-53673

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

EUVD-2026-35879

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

CVE-2026-53675

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

CVE-2026-53675 BuddyPress 14.4.0 Friends List IDOR via REST API

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

CVE-2026-53675

CVE-2026-53675 concerns BuddyPress 14.4.0, where an insecure direct object reference in the friends REST API allows any authenticated user to enumerate another user’s complete friend list. The get_items_permissions_check method only verifies that the requester is logged in, not ownership of the r...

CVE-2026-53673

CVE-2026-53673 affects BuddyPress 14.4.0. The issue is an insecure direct object reference in the messages REST API where a user_id parameter can be supplied to read, reply to, or delete private messages. Attackers can pass another user’s identifier to get_item_permissions_check (which validates ...

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

WordPress 6Storage Rentals plugin <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification vulnerability

Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification vulnerability discovered by g0wthr in WordPress Plugin 6Storage Rentals versions = 2.22.0...

VulnBoard

VulnBoard “If you don’t know about attacks, you can’t defend...

CVE-2026-9185 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

CVE-2026-9185 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...