Lucene search
K

2760 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/02 9:14 a.m.5 views

CVE-2026-7491

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...

8.6CVSS5.8AI score0.00259EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/02 9:14 a.m.5 views

EUVD-2026-26772

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...

8.6CVSS5.8AI score0.00259EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/02 3:36 a.m.34 views

CVE-2026-7638 App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the uploadavatar function, which accepts an attacker-controlled...

5.3CVSS0.00306EPSS
Exploits0References10
NVD
NVD
added 2026/04/28 10:16 p.m.11 views

CVE-2026-41649

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...

7.7CVSS0.00293EPSS
Exploits1References3
NVD
NVD
added 2026/04/28 1:19 p.m.9 views

CVE-2026-5779

An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...

9.4CVSS0.00252EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/28 11:43 a.m.34 views

CVE-2026-5780 Multiple vulnerabilities in MphRx's Minerva

An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an...

8.5CVSS0.00201EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/28 11:41 a.m.6 views

CVE-2026-5779

An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...

9.4CVSS5.3AI score0.00252EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.10 views

PT-2026-35714

Name of the Vulnerable Software and Affected Versions Minerva version 3.6.0 Description An insecure direct object reference IDOR issue exists in the '/minerva/user/updateUserProfile' endpoint. This improper access control allows an authenticated user to modify the profiles of other registered...

9.4CVSS5.2AI score0.00252EPSS
Exploits0References4
NVD
NVD
added 2026/04/24 6:16 a.m.3 views

CVE-2026-6810

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dexbccfadminintcalendarlist.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated...

5.3CVSS0.0033EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/24 5:29 a.m.6 views

EUVD-2026-25401

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dexbccfadminintcalendarlist.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated...

5.3CVSS5.7AI score0.0033EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/22 3:31 p.m.6 views

EUVD-2026-24746

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

7.6CVSS5.8AI score0.00207EPSS
Exploits0References2
NVD
NVD
added 2026/04/22 2:17 p.m.6 views

CVE-2026-5750

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

7.6CVSS0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/22 1:25 p.m.27 views

CVE-2026-5750 Insecure direct object reference (IDOR) vulnerability in Fullstep

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

7.6CVSS0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.8 views

PT-2026-34333

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

7.6CVSS5.8AI score0.00207EPSS
Exploits0References2
CVE
CVE
added 2026/04/21 7:50 p.m.14 views

CVE-2026-40907

Summary: WWBN AVideo 29.0 and earlier contains an Insecure Direct Object Reference (IDOR) in the endpoint plugin/Live/view/Live_restreams/list.json.php. This allows any authenticated user with streaming permission to view other users’ live restream configurations, exposing third‑party platform st...

6.5CVSS5.7AI score0.00269EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/21 6:14 p.m.11 views

EUVD-2026-24231

Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR...

7.1CVSS5.8AI score0.0014EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/04/21 9:57 a.m.9 views

WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Lubin Regnault in WordPress Plugin Salon booking system versions = 10.30.24...

5.8AI score0.00288EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.8 views

PT-2026-34061

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Live restreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

6.5CVSS5.7AI score0.00269EPSS
Exploits1References3
GithubExploit
GithubExploit
added 2026/04/17 8:17 a.m.78 views

reconauto

reconauto Automated b...

5.7AI score
Exploits0
EUVD
EUVD
added 2026/04/17 6:31 a.m.7 views

EUVD-2026-23356

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

5.3CVSS5.8AI score0.00689EPSS
Exploits0References11
Rows per page
Query Builder