4391 matches found
CVE-2026-8679
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...
GHSA-7P8G-6C6G-H9W7 praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
Summary Type: Insecure Direct Object Reference. The agent CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/agents/agentid gate access on requireworkspacememberworkspaceid only, then resolve agentid through AgentService.getagentid which is a primary-key lookup with no workspace...
WordPress MapPress Maps for WordPress plugin <= 2.96.6 - Unauthenticated Insecure Direct Object Reference vulnerability
Unauthenticated Insecure Direct Object Reference vulnerability discovered by Kitch - KitchGlobal in WordPress Plugin MapPress Maps for WordPress versions = 2.96.6...
WordPress Klamra Paycal for Aspaclaria plugin <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability
Insecure Direct Object Reference to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by KEVIN LEE crattack - OPCIA in WordPress Plugin Klamra Paycal for Aspaclaria versions = 1.1.4...
CVE-2026-11369 IDOR in Comment API Allows Cross-Process Comment Read and Write
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
CVE-2026-11369
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
CVE-2026-11369 IDOR in Comment API Allows Cross-Process Comment Read and Write
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
PT-2026-47087
Summary Type: Insecure Direct Object Reference. The agent CRUD endpoints GET / PATCH / DELETE /workspaces/workspace id/agents/agent id gate access on require workspace memberworkspace id only, then resolve agent id through AgentService.getagent id which is a primary-key lookup with no workspace...
CVE-2026-49192
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping...
CVE-2026-49192
Technical details for CVE-2026-49192 are not publicly available in the provided documents. Monitor for updates on affected products, exposed data, and remediation.
CVE-2026-49192 Summary Service Insecure Direct Object Reference
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping...
CVE-2026-49192 Summary Service Insecure Direct Object Reference
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping...
CVE-2026-10597
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
CVE-2026-10597 ITPison|OMICARD EDM - Insecure Direct Object Reference
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
CVE-2026-10597 ITPison|OMICARD EDM - Insecure Direct Object Reference
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
EUVD-2026-34196
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
CVE-2026-10597
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
PT-2026-46130
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...
PT-2026-46150
The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping...
CVE-2026-31942
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference IDOR vulnerability exists in the API keys management endpoint PUT /api/keys. Due to the use of the JavaScript object spread operator after setting...