PT-2025-47505

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4 Description Rallly, an open-source scheduling and collaboration tool, contains a flaw where an authenticated user can change votes in polls belonging to other participants without proper authorization. The backen...

PT-2025-47468

An Insecure Direct Object Reference IDOR vulnerability in the Management Console of BlackBerry® AtHoc® OnPrem version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System IWS...

PT-2025-47502

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4 Description An Insecure Direct Object Reference IDOR issue exists in the poll finalization feature of Rallly. An authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the...

WordPress SiteSEO – SEO Simplified plugin <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure vulnerability

Insecure Direct Object Reference to Sensitive Post Meta Disclosure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin SiteSEO versions = 1.3.2...

WordPress YITH WooCommerce Wishlist plugin <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability

Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin YITH WooCommerce Wishlist versions = 4.10.0...

CVE-2025-12524

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type...

CVE-2025-12524 Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type...

CVE-2025-12524 Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type...

PT-2025-47367

Name of the Vulnerable Software and Affected Versions kishan0725 Hospital Management System version 4 Description The software contains an Insecure Direct Object Reference IDOR issue within the appointment cancellation functionality. This allows potential unauthorized access and manipulation of...

CVE-2025-63513

kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference IDOR vulnerability in the appointment cancellation functionality...

Hospital Management System 安全漏洞

Hospital Management System is a hospital management software by Pon Aravind Boominathan Individual Developer. A security vulnerability exists in Hospital Management System version v4, which stems from an insecure direct object reference in the Appointment Cancellation feature that could lead to...

CVE-2025-63513

kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference IDOR vulnerability in the appointment cancellation functionality...

EUVD-2025-198032

kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference IDOR vulnerability in the appointment cancellation functionality...

PT-2025-47243

Name of the Vulnerable Software and Affected Versions Post Type Switcher plugin for WordPress versions up to and including 4.0.0 Description The software contains an Insecure Direct Object Reference issue because of missing validation on a user-controlled key. Authenticated attackers with...

CVE-2025-63513

CVE-2025-63513 affects kishan0725 Hospital Management System v4 with an Insecure Direct Object Reference (IDOR) in the appointment cancellation feature. The vulnerability allows unauthorized access to appointment-related operations without proper authorization checks, per Red Hat and CVE listings...

GO-2025-4117 File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function in github.com/filebrowser/filebrowser

File Browser is Vulnerable to Insecure Direct Object Reference IDOR in Share Deletion Function in github.com/filebrowser/filebrowser...

CVE-2025-64706

Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference IDOR vulnerability exists in the API token management endpoint. An authenticated attacker can delete any user's API token and retrieve its value by simply knowing th...

CVE-2025-41069

Insecure Direct Object Reference IDOR vulnerability in DeporSite of T-INNOVA. This vulnerability allows an attacker to access or modify unauthorized resources by manipulating requests using the 'idUsuario' parameter in...

netfilter: nft_objref: validate objref and objrefmap expressions

...

CVE-2025-12366

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayerreplacepage function due to missing validation on a user controlled key. This makes it possible for...