248 matches found
PT-2026-24812
CVE-2025-66956 Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computa… https://t.co/B86afgMbsO...
GHSA-JXM3-PMM2-9GF6 Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
Description The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is restricted in the UI, a user can bypass this restriction by sending a direc...
Insecure Direct Object Reference (IDOR)
pretix is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper authorization checks on file access endpoints, which allows an attacker to retrieve sensitive files of other users by supplying a known UUID...
CVE-2026-24950
Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through = 1.0.6...
CVE-2025-68564 WordPress Sendy plugin <= 3.4.2 - Broken Access Control vulnerability
Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through = 3.4.2...
CVE-2026-25404
CVE-2026-25404 affects the WordPress WP Job Manager plugin (wp-job-manager) versions up to and including 2.4.0. The issue is a missing authorization/broken access control vulnerability arising from incorrectly configured access control security levels, allowing unauthorized access to protected fu...
CVE-2026-25005 WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through = 23.5...
PT-2026-20712
Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fields Form: from n/a through = 5.4.4.1...
CVE-2026-24776 OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...
CVE-2026-25020 WordPress WP Sync for Notion plugin <= 1.7.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sync for Notion: from n/a through = 1.7.0...
CVE-2026-24940 WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through = 1.3.3...
CVE-2026-24413
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the %ProgramData%\icinga2\var folder on Windows. This resulted in the its contents - including the private key of the...
CVE-2026-24585
Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a through = 1.5.0...
CVE-2025-68020
Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through = 2.7.13...
CVE-2026-24627 WordPress Trusona for WordPress plugin <= 2.0.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through = 2.0.0...
CVE-2026-24556 WordPress ElementCamp plugin <= 2.3.2 - Broken Access Control vulnerability
Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementCamp: from n/a through = 2.3.2...
CVE-2026-23964 Mastodon has insufficient access control to push notification settings
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...
CVE-2026-23964
Mastodon vendor: Mastodon server (ActivityPub). Vulnerability CVE-2026-23964 is an insecure direct object reference in the web push subscription update endpoint affecting versions < 4.5.5, < 4.4.12, and
CVE-2025-41077 Multiple vulnerabilities in Viafirma products
IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality ...
CVE-2025-4596
CVE-2025-4596 affects the Asseco ADMX system (Asseco AMDX) used for processing medical records. The issue is an information disclosure via IDOR-like access: authenticated users can view medical files belonging to other users by manipulating GET parameters containing document IDs. Root cause: impr...