CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

3429 matches found

GithubExploit•added 2026/05/29 9:52 p.m.•68 views

NileBank-Vulnerable-App

NileBank - Web Pen Testing Project A realistic bank web appli...

5.9AI score

Exploits0

RedhatCVE•added 2026/05/29 8:13 p.m.•10 views

CVE-2026-45297

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS5.8AI score0.00207EPSS

Exploits0References1

NVD•added 2026/05/29 7:16 a.m.•13 views

CVE-2026-9493

Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details...

7.1CVSS0.00259EPSS

Exploits0References2

EUVD•added 2026/05/29 5:54 a.m.•11 views

EUVD-2026-33253

7.1CVSS5.8AI score0.00259EPSS

Exploits0References2

Cvelist•added 2026/05/29 5:54 a.m.•34 views

CVE-2026-9493 BankPro E-Service Technology｜Service Center - Insecure Direct Object Reference

7.1CVSS0.00259EPSS

Exploits0References2

CVE•added 2026/05/29 5:54 a.m.•14 views

CVE-2026-9493

CVE-2026-9493 concerns BankPro E-Service Technology’s Service Center, which contains an Insecure Direct Object Reference vulnerability. Authenticated remote attackers can alter a parameter in a specific query function to access other users’ EC order details. The issue exposes sensitive confidenti...

7.1CVSS5.8AI score0.00259EPSS

Exploits0References2

Positive Technologies•added 2026/05/29 12:0 a.m.•9 views

PT-2026-45065

Summary Type: Insecure Direct Object Reference. Five label endpoints — PATCH /workspaces/workspace id/labels/label id, DELETE .../labels/label id, POST .../issues/issue id/labels/label id, DELETE .../issues/issue id/labels/label id, GET .../issues/issue id/labels — gate access on require workspac...

7.6CVSS5.9AI score0.00038EPSS

Exploits0References3

ATTACKERKB•added 2026/05/28 8:47 p.m.•8 views

CVE-2026-45342

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists...

5.8AI score0.00225EPSS

Exploits0References2Affected Software1

EUVD•added 2026/05/28 8:47 p.m.•8 views

EUVD-2026-33056

7.1CVSS5.8AI score0.00225EPSS

Exploits0References1

NVD•added 2026/05/28 4:16 p.m.•12 views

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

8.8CVSS0.00303EPSS

Exploits0References2

Cvelist•added 2026/05/28 2:13 p.m.•29 views

CVE-2026-35671 phpMyFAQ - Insecure Direct Object Reference in User Password API

8.8CVSS0.00303EPSS

Exploits0References2

Vulnrichment•added 2026/05/28 2:13 p.m.•8 views

CVE-2026-35671 phpMyFAQ - Insecure Direct Object Reference in User Password API

8.8CVSS5.8AI score0.00303EPSS

Exploits0References2

NVD•added 2026/05/28 8:16 a.m.•13 views

CVE-2026-7651

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

5.3CVSS0.00227EPSS

Exploits0References5

Cvelist•added 2026/05/28 6:45 a.m.•29 views

CVE-2026-7651 User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter

5.3CVSS0.00227EPSS

Exploits0References5

ATTACKERKB•added 2026/05/28 6:45 a.m.•7 views

CVE-2026-7651

5.3CVSS5.9AI score0.00227EPSS

Exploits0References6

NVD•added 2026/05/28 6:16 a.m.•11 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS0.00243EPSS

Exploits0References4

EUVD•added 2026/05/28 5:30 a.m.•11 views

EUVD-2026-32722

6.5CVSS5.9AI score0.00243EPSS

Exploits0References4

Vulnrichment•added 2026/05/28 5:30 a.m.•10 views

CVE-2026-3173 Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure

6.5CVSS5.9AI score0.00243EPSS

Exploits0References4

CVE•added 2026/05/28 5:30 a.m.•14 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.5.1. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object, potentially exposing PII (...

6.5CVSS5.9AI score0.00243EPSS

Exploits0References4

Cvelist•added 2026/05/28 5:30 a.m.•33 views

CVE-2026-3173 Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure

6.5CVSS0.00243EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by