CVE-2026-33313 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...

GO-2026-4797 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api...

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Details The GET /api/v1/tasks/taskID/comments/commentID endpoint performs an authorizati...

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...

WordPress Taskbuilder plugin <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Project/Task Comment Creation vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin Taskbuilder versions = 5.0.2...

CVE-2022-0775

The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment...

Extreme CMS has a flawed logic vulnerability

Extreme CMS is a website building system. Extreme CMS suffers from a logic flaw vulnerability that can be exploited by attackers to delete arbitrary comments...

Serendipity < 2.1.1 Multiple Vulnerabilities

According to its banner, the version of Serendipity running on the remote host is prior to 2.1.1. It is, therefore, affected by multiple vulnerabilities : - A stored cross-site scripting XSS vulnerability exists in the templates/2k11/admin/category.inc.tpl script due to improper validation of the...

CVE-2013-2122

The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors...

CVE-2009-4089

telepark.wiki 2.4.23 and earlier allows remote attackers to bypass authorization and 1 delete arbitrary pages via a modified pageID parameter to ajax/deletePage.php or 2 delete arbitrary comments via a modified pageID parameter to ajax/deleteComment.php...

CVE-2005-1511

PwsPHP 1.2.2 allows remote attackers to bypass authentication and post arbitrary comments via the Pseudo cookie...

CVE-2005-1511

PwsPHP 1.2.2 allows remote attackers to bypass authentication and post arbitrary comments via the Pseudo cookie...

CVE-2005-1499

delcomment.php in myBloggie 2.1.1 allows remote attackers to delete arbitrary comments by modifying the commentid parameter...

CVE-2005-1499

CVE-2005-1499 affects myBloggie 2.1.1 via delcomment.php, where remote attackers can delete arbitrary comments by modifying the comment_id parameter. The NVD notes a CVSSv2 base score of 7.5 (HIGH) with network attack vector, low attack complexity, no authentication required, and partial impact o...