Lucene search
K

2026 matches found

OSV
OSV
added 2026/03/06 7:30 p.m.5 views

CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

9.3CVSS5.8AI score0.00218EPSS
Exploits0References5
CVE
CVE
added 2026/03/04 4:36 p.m.31 views

CVE-2026-28782

CVE-2026-28782 affects Craft CMS prior to 5.9.0-beta.1 and 4.17.0-beta.1, allowing a user with only View Entries permission to bypass UI restrictions and duplicate other users’ entries by sending direct requests. The flaw is an improper permission check in the Duplicate action, enabling IDOR via ...

5.3CVSS6AI score0.00234EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/02/27 7:18 p.m.4 views

CVE-2026-28354 ClipBucket v5 has IDOR in Collection Item Management

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item /actions/addtocollection.php due to missi...

7.1CVSS5.8AI score0.00263EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/26 10:38 p.m.6 views

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

6.5CVSS6AI score0.00369EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/26 3:10 p.m.6 views

EUVD-2026-8859

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The userfieldids parameter ...

7.5CVSS5.7AI score0.00266EPSS
Exploits0References1
CVE
CVE
added 2026/02/25 3:51 p.m.16 views

CVE-2026-27705

Plane is an open-source project management tool. Prior to v1.2.2, the ProjectAssetEndpoint.patch() method uses a global asset lookup (FileAsset.objects.get(id=pk)) without validating workspace/project ownership, allowing any authenticated user (including GUEST) to modify attributes and is_uploade...

7.1CVSS5.5AI score0.00213EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/02/24 12:0 a.m.5 views

SolarWinds Serv-U 15.5.4 Multiple Vulnerabilities

The version of SolarWinds Serv-U installed on the remote host is prior to 15.5.4. It is, therefore, affected by multiple vulnerabilities as referenced in the solarwindsserv-u1554 advisory. - An Insecure Direct Object Reference IDOR vulnerability exists in Serv-U, which when exploited, gives a...

9.1CVSS6.5AI score0.0057EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/02/23 10:56 a.m.6 views

WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by dcodx in WordPress Plugin Really Simple Security Pro versions = 9.5.4.0...

5.4AI score0.00219EPSS
Exploits0Affected Software1
GithubExploit
GithubExploit
added 2026/02/22 6:54 p.m.171 views

exploit-notes

🎯 Pentest Playbook Index Welcome to the comprehensive penetra...

5.5AI score
Exploits0
Cvelist
Cvelist
added 2026/02/20 3:47 p.m.29 views

CVE-2026-22383 WordPress PawFriends - Pet Shop and Veterinary WordPress theme theme <= 1.3 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a...

7.5CVSS0.00271EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/20 3:46 p.m.3 views

CVE-2025-68514 WordPress Paid Member Subscriptions plugin <= 2.16.8 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through = 2.16.8...

5.1AI score0.00348EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/19 8:26 a.m.33 views

CVE-2026-25324 WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through = 10.3.4...

5.3CVSS0.00315EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/19 8:26 a.m.3 views

CVE-2026-25324 WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through = 10.3.4...

5.3CVSS5.5AI score0.00315EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/19 8:26 a.m.30 views

CVE-2026-25005 WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through = 23.5...

5.3CVSS0.00325EPSS
Exploits0References1
NVD
NVD
added 2026/02/18 7:21 p.m.11 views

CVE-2025-70063

The 'Medical History' module in PHPGurukul Hospital Management System v4.0 contains an Insecure Direct Object Reference IDOR vulnerability. The application fails to verify that the requested 'viewid' parameter belongs to the currently authenticated patient. This allows a user to access the...

6.5CVSS0.00336EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/18 1:9 p.m.5 views

CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

7.1CVSS5.5AI score0.00212EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/11 7:54 a.m.29 views

CVE-2025-10912 IDOR in saastech.io's TemizlikYolda

Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables. This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not...

5.4CVSS0.00193EPSS
Exploits0References2
CVE
CVE
added 2026/02/10 2:8 p.m.13 views

CVE-2025-7347

CVE-2025-7347 concerns an Authorization Bypass Through User-Controlled Key in Dinibh Puzzle Software Solutions’ Dinibh Patrol Tracking System. The connected CVE record identifies an IDOR-style issue that enables exploitation of trusted identifiers, affecting the Dinibh Patrol Tracking System up t...

8.8CVSS5.2AI score0.00265EPSS
Exploits0References2
EUVD
EUVD
added 2026/02/08 12:30 a.m.5 views

EUVD-2026-5708

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers...

7.5CVSS5.4AI score0.0028EPSS
Exploits0References4
NVD
NVD
added 2026/02/06 10:16 p.m.6 views

CVE-2026-25574

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference IDOR vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default...

5.4CVSS0.00193EPSS
Exploits0References1
Rows per page
Query Builder