GHSA-6W2R-CFPC-23R5 AVideo has Unauthenticated IDOR - Playlist Information Disclosure

Product: AVideo https://github.com/WWBN/AVideo Version: Latest tested March 2026 Type: Insecure Direct Object Reference IDOR Auth Required: No User Interaction: None Summary The /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or...

EUVD-2026-10091

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

CVE-2026-2371 Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Summary The Flowise platform has a critical Insecure Direct Object Reference IDOR vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative...

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

EUVD-2026-10062

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

vulnweblab

Intentionally vulnerable we...

CVE-2026-25877

Chartbrew (open-source web app) prior to version 4.8.1 performs authorization checks on chart-related operations using only the project_id, with no authorization on the chart_id itself. This allows an authenticated user who has access to any project to access or manipulate charts belonging to oth...

CVE-2026-25877 Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the projectid parameter when handling chart-related operations update, delete, etc...

CVE-2026-25877 Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the projectid parameter when handling chart-related operations update, delete, etc...

PT-2026-23789

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build customized large language model flows. A critical Insecure Direct Object Reference IDOR vulnerability, combined with a Business Logic Flaw, exists in...

PT-2026-23743

🚨 CVE-2026-30843 Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to...

PT-2026-23762

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspb el reusable load AJAX handler. The handler accepts an...

web-pentest-cases

Web Application Pentesting Cases Practical web application se...

CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is...

Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action

Description The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is restricted in the UI, a user can bypass this restriction by sending a direc...

EUVD-2025-208150

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users...

CVE-2025-58402 Insecure Direct Object Reference Message ID

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users...

CVE-2025-58402 Insecure Direct Object Reference Message ID

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users...

CVE-2025-58402

CVE-2025-58402 affects the CGM CLININET application, where direct, sequential MessageID parameters enable unauthorized access to messages and attachments across users due to missing authorization checks. The issue is an Insecure Direct Object Reference (IDOR) that allows modification of GET param...