CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4391 matches found

CVE•added 2026/01/22 4:51 p.m.•8 views

CVE-2025-47555

CVE-2025-47555 is an Authorization Bypass in Themeum Tutor LMS (Tutor) caused by incorrect access control, allowing a user-controlled key to bypass restrictions. Affected: Tutor LMS versions up to 3.9.4 (n/a through

3.8CVSS5.4AI score0.00012EPSS

Exploits0References1

Vulnrichment•added 2026/01/22 12:13 p.m.•4 views

CVE-2025-10855 IDOR in Solvera Software's Teknoera

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025...

7.5CVSS5.4AI score0.00019EPSS

Exploits0References2

Cvelist•added 2026/01/22 11:45 a.m.•23 views

CVE-2025-10024 IDOR in EXERT Computer Technologies' Education Management System

Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025...

7.5CVSS0.00025EPSS

Exploits0References2

NVD•added 2026/01/22 3:15 a.m.•3 views

CVE-2026-23964

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...

6.5CVSS0.00069EPSS

Exploits0References4

EUVD•added 2026/01/22 1:55 a.m.•4 views

EUVD-2026-4210

6.5CVSS5.6AI score0.00069EPSS

Exploits0References4

Hacker One•added 2026/01/21 3:7 a.m.•4 views

Nextcloud: IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos

Summary: An Insecure Direct Object Reference IDOR vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. Thi...

5.9AI score

Exploits0

RedhatCVE•added 2026/01/20 9:22 p.m.•3 views

CVE-2026-23844

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

7.1CVSS5.5AI score0.00045EPSS

Exploits0References1

RedhatCVE•added 2026/01/20 7:20 p.m.•3 views

CVE-2026-23843

teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...

7.1CVSS5.5AI score0.00051EPSS

Exploits0References1

Patchstack•added 2026/01/20 6:7 a.m.•5 views

WordPress Dokan plugin <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability discovered by shark3y in WordPress Plugin Dokan versions = 4.2.4...

8.1CVSS5.5AI score0.00045EPSS

Exploits0References1Affected Software1

NVD•added 2026/01/20 5:16 a.m.•5 views

CVE-2025-14977

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...

8.1CVSS0.00045EPSS

Exploits0References6

CVE•added 2026/01/20 4:35 a.m.•20 views

CVE-2025-14977

Dokan (WordPress Dokan Lite)

8.1CVSS5.5AI score0.00045EPSS

Exploits0References6

ATTACKERKB•added 2026/01/20 4:35 a.m.•1 views

CVE-2025-14977

8.1CVSS5.4AI score0.00045EPSS

Exploits0References7

Vulnrichment•added 2026/01/20 4:35 a.m.•2 views

CVE-2025-14977 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure

8.1CVSS5.5AI score0.00045EPSS

Exploits0References6

Cvelist•added 2026/01/20 4:35 a.m.•17 views

8.1CVSS0.00045EPSS

Exploits0References6

Positive Technologies•added 2026/01/20 12:0 a.m.•4 views

PT-2026-3536

Name of the Vulnerable Software and Affected Versions Dokan versions up to and including 4.2.4 Description The Dokan plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from a lack of validation on a user-controlled key within the...

8.1CVSS5.3AI score0.00045EPSS

Exploits0References9

NVD•added 2026/01/19 9:15 p.m.•2 views

CVE-2026-23844

7.1CVSS0.00045EPSS

Exploits0References3

CVE•added 2026/01/19 8:43 p.m.•10 views

CVE-2026-23844

CVE-2026-23844 affects Whisper Money, a personal finance app. The vulnerability is an insecure direct object reference (IDOR) in the sync/balances endpoint, allowing a user to update or create account balances in other users’ bank accounts. Root cause is improper authorization checks for direct o...

7.1CVSS5.5AI score0.00045EPSS

Exploits0References3Affected Software1