Typebot 安全漏洞

Typebot is an open source chatbot builder by the individual developer Baptiste Arnaud. A security vulnerability exists in Typebot version 3.9.0 up to and including version 3.13.0, which stems from the presence of an insecure direct object reference in the API token management endpoint, which coul...

CVE-2025-64523

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference IDOR vulnerability in the FileBrowser application's share deletion functionality. Th...

CVE-2025-12087

The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlmremoveaddedwishlistpage' AJAX action due to missing validation on a user controlled key. This makes it possible for...

PT-2025-46564

Name of the Vulnerable Software and Affected Versions The Wishlist and Save for later for Woocommerce plugin for WordPress versions through 1.1.22 Description The software contains an Insecure Direct Object Reference issue. An authenticated attacker with Subscriber-level access or higher can dele...

Combodo iTop 安全漏洞

Combodo iTop is a suite of open source web applications developed by the French company Combodo based on ITIL and used for the daily operation of IT environments. The program provides incident management, configuration management and problem management. A security vulnerability exists in Combodo...

EUVD-2025-35911

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutorassignmentsubmit...

CVE-2025-6639

CVE-2025-6639 affects Tutor LMS Pro (WordPress) up to version 3.8.3. The issue is an Insecure Direct Object Reference caused by missing validation of a user-controlled key when viewing/editing assignments via tutor_assignment_submit(), enabling authenticated users with Subscriber+ to view or edit...

Moodle OpenAI Chat Block plugin security vulnerability

Moodle OpenAI Chat Block plugin is a large model chat plugin for Moodle open source. A security vulnerability exists in version 3.0.1 of the Moodle OpenAI Chat Block plugin, which stems from insufficient validation of the blockId parameter and could lead to an insecure direct object reference...

CVE-2025-11176

The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfisetthumbnail and qfideletethumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated...

EUVD-2018-9202

Malware in sbrugna...

EUVD-2020-28850

Malware in sbrugna...

EUVD-2021-26245

Malware in sbrugna...

EUVD-2019-5871

Malware in sbrugna...

EUVD-2020-7929

Malware in sbrugna...

EUVD-2020-29047

Malware in sbrugna...

Discourse 3.6.x < 3.6.0.beta1 Multiple Vulnerabilities

Discourse is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:discourse:discourse"; ifdescripti...

CVE-2025-10493

The CVE concerns the WordPress plugin Chained Quiz (versions 1.3.4 and earlier). The root cause is an insecure direct object reference in the quiz submission/completion flow, due to lack of validation on a user‑controlled key exposed via the chained_completion_id cookie. An unauthenticated attack...

CVE-2025-52389

An Insecure Direct Object Reference IDOR in Envasadora H2O Eireli - Soda Cristal v40.20.4 allows authenticated attackers to access sensitive data for other users via a crafted HTTP request...

Lunary 访问控制错误漏洞

Lunary is a production toolkit for LLM from Lunary Open Source. An access control error vulnerability exists in Lunary version 0.8.8 and earlier, which stems from an insecure direct object reference that could lead to template creation overreach...

CVE-2025-6585 WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion

The WP JobHunt plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.2 via the csremoveprofilecallback function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...