85 matches found
CVE-2024-58362
SurrealDB before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted...
CVE-2026-56250 Capgo - Arbitrary R2 Object Deletion via Mutable r2_path in app_versions
Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable appversions.r2path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2path to point to victim objects, soft-delete the attacker-controlled version, and trigger the...
CVE-2026-11369
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
CVE-2026-11369 IDOR in Comment API Allows Cross-Process Comment Read and Write
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
EUVD-2026-34827
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
CVE-2026-11369
The CVE-2026-11369 entry concerns an Insecure Direct Object Reference (IDOR) in the Comment API. The affected endpoints are GET /api/Comment and POST /api/Comment. The root cause is missing authorization checks to verify that a user has access to the object identified by relatedObjectId, allowing...
PT-2026-46948
The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...
CVE-2026-32511 WordPress Stål theme < 1.7 - Arbitrary Object Instantiation vulnerability
Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allows Object Injection.This issue affects Stål: from n/a through 1.7...
CVE-2026-32509 WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability
Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through 1.4...
CVE-2026-32508
CVE-2026-32508 affects the WordPress Halstein theme prior to v1.8. The vulnerability is due to deserialization of untrusted data, enabling object injection in Halstein before 1.8. Affected software is Mikado-Themes Halstein halstein; impact is described as potential object injection with limited ...
CVE-2026-32509
CVE-2026-32509 is a deserialization of untrusted data vulnerability in the WordPress Gracey theme (
CVE-2026-32507 WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through 1.4...
CVE-2026-32506
CVE-2026-32506 affects WordPress Archicon theme versions prior to 1.7. The issue is described as a deserialization of untrusted data that allows arbitrary object instantiation (object injection) in Archicon. The affected component is the Archicon WordPress theme; root cause is deserialization lea...
CVE-2026-32507 WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through 1.4...
CVE-2026-32507
The CVE-2026-32507 entry documents a Deserialization of Untrusted Data vulnerability in the WordPress Leroux theme (Elated-Themes Leroux), affecting Leroux versions prior to 1.4. The core issue is Object Injection via deserialized untrusted data in Leroux, with reported exposure affecting the the...
WordPress Halstein theme < 1.8 - Arbitrary Object Instantiation vulnerability
Arbitrary Object Instantiation vulnerability discovered by Denver Jackson in WordPress Theme Halstein versions 1.8...
WordPress Stål theme < 1.7 - Arbitrary Object Instantiation vulnerability
Arbitrary Object Instantiation vulnerability discovered by Denver Jackson in WordPress Theme Stål versions 1.7...
WordPress Kamperen theme < 1.3 - Arbitrary Object Instantiation vulnerability
Arbitrary Object Instantiation vulnerability discovered by Denver Jackson in WordPress Theme Kamperen versions 1.3...
WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability
Arbitrary Object Instantiation vulnerability discovered by Denver Jackson in WordPress Theme Gracey versions 1.4...
jsPDF 安全漏洞
jsPDF is a JavaScript-based PDF document generation library developed by Parallax. Versions of jsPDF prior to 4.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the possibility that parameters controlling the createAnnotation method could allow for the injection of...