CVE-2026-28781 Craft Affected by Entries Authorship Spoofing via Mass Assignment

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds or authorId parameter into the POST request, which the backend...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation during the creation of entries, allowing large amounts of values t...

EUVD-2026-5705

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

CVE-2025-65112

PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain...

CVE-2025-65112 PubNet Critical Authentication Bypass Allows Unauthenticated Package Upload and Identity Spoofing

PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain...

CVE-2025-65112 PubNet Critical Authentication Bypass Allows Unauthenticated Package Upload and Identity Spoofing

PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain...

PT-2024-39496 · WordPress · Publishpress Authors

Name of the Vulnerable Software and Affected Versions: PublishPress Authors plugin for WordPress versions up to, and including, 4.7.1 Description: The issue is related to Insecure Direct Object Reference, which can lead to Privilege Escalation and Account Takeover. This is due to missing validati...

CVE-2021-32428

SQL Injection vulnerability in viaviwebtech Android EBook App Books App, PDF, ePub, Online Book Reading, Download Books 10 via the authorid parameter to api.php...

viaviwebtech Android EBook App SQL注入漏洞

viaviwebtech Android EBook App is an eBook application by viaviwebtech India. Books can be read online and offline. A security vulnerability exists in viaviwebtech Android EBook App 10, which stems from an SQL injection that may be triggered via the authorid parameter of api.php...

Zoner < 4.2 - Persistent XSS & IDOR

----- Persistent XSS: ----- 'Address' input field on the 'Local information' block is vulnerable so you can use your payload to steal admin cookies or do some redirects etc. ----- IDOR: ----- POST request https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=deletepropertyactid=XXX=YYY...