Lucene search
K

2007 matches found

Nuclei
Nuclei
added yesterday47 views

TrakSYS 11.x.x - Sensitive Data Exposure

A vulnerability was found in Parsec Automation TrackSYS 11.x.x and classified as problematic. This issue affects some unknown processing of the file /TS/export/pagedefinition. The manipulation of the argument ID leads to direct request. The attack may be initiated remotely. The exploit has been...

6.9CVSS5.2AI score0.02053EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday110 views

WordPress WPQA <5.5 - Improper Access Control

WordPress WPQA plugin before 5.5 is susceptible to improper access control. The plugin lacks authentication in a REST API endpoint. An attacker can potentially discover private questions sent between users on the site. id: CVE-2022-1598 info: name: WordPress WPQA 5.5 - Improper Access Control...

5.3CVSS6.2AI score0.05591EPSS
Exploits2References5
CVE
CVE
added 4 days ago10 views

CVE-2026-11578

The CVE concerns the Fluent Forms WordPress plugin prior to 6.2.5, where deletion of form submission entries is not properly restricted to forms a restricted Manager is authorized to manage. This misconfiguration allows a Manager limited to specific forms to permanently delete submission entries ...

2.7CVSS5.8AI score0.00168EPSS
Exploits0References1
NVD
NVD
added 5 days ago5 views

CVE-2026-13228

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference IDOR in the createorupdate function of OsOrdersController, whi...

8.8CVSS0.00309EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-13228 LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference IDOR in the createorupdate function of OsOrdersController, whi...

8.8CVSS0.00309EPSS
Exploits0References7
Patchstack
Patchstack
added 6 days ago5 views

WordPress Kirki plugin <= 6.0.11 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by VanTastic in WordPress Plugin Kirki versions = 6.0.11...

6.5CVSS5.8AI score0.00253EPSS
Exploits0Affected Software1
CVE
CVE
added last week11 views

CVE-2026-57498

CVE-2026-57498 affects Coolify. Before 4.0.0-beta.474, API controllers validated server ownership via Server::whereTeamId($teamId) for operations, but multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This enable...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References1
CVE
CVE
added last week8 views

CVE-2026-57341

The CVE-2026-57341 entry describes an Unauthenticated Insecure Direct Object References (IDOR) vulnerability in the Colissimo Officiel: Méthodes de livraison pour WooCommerce plugin for WordPress, affecting versions

6.5CVSS5.8AI score0.00258EPSS
Exploits0References1
Cvelist
Cvelist
added last week32 views

CVE-2026-57341 WordPress Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin <= 2.9.0 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce = 2.9.0 versions...

6.5CVSS0.00258EPSS
Exploits0References1
OSV
OSV
added last week6 views

PYSEC-2026-384 Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise

Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via ACME acmeurl SSRF and creator-equality IDOR Vulnerability Summary Field | Value -- | -- Title | Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via...

9.9CVSS6AI score
Exploits0References6
Cvelist
Cvelist
added 2026/06/26 7:39 p.m.22 views

CVE-2026-44732 OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...

4.3CVSS0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 2:52 p.m.9 views

CVE-2026-56069

This CVE concerns the WordPress Toolset Forms plugin (versions up to 2.6.24). The issue is an Unauthenticated Insecure Direct Object Reference (IDOR) in Toolset Forms, allowing access to objects without authentication. The CVSS 3.1 vector indicates network attack, low attack complexity, no privil...

7.5CVSS5.8AI score0.003EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 2:52 p.m.9 views

CVE-2026-56048

Summary: CVE-2026-56048 concerns the WordPress plugin “Payment Gateway Based Fees and Discounts for WooCommerce” (versions ≤ 3.0.0). The vulnerability is described as an unauthenticated insecure direct object reference (IDOR). The connected documents confirm the affected product and root cause (I...

6.5CVSS5.8AI score0.00242EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.18 views

PT-2026-52910

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An authorization context confusion and Insecure Direct Object Reference IDOR exist within the Calendar and Team Planner modules. A user with management...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 3:51 p.m.9 views

CVE-2026-54029

CVE-2026-54029 affects LibreChat prior to 0.8.4-rc1. The bug is in the DELETE /api/messages/:conversationId/:messageId endpoint where authentication validates the conversationId but the deleteMessages({ messageId }) call uses only messageId as the MongoDB filter, omitting a user constraint. As a ...

6.5CVSS5.9AI score0.00159EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/06/24 7:24 p.m.8 views

CVE-2026-27708

FOSSBilling, before 0.8.0, is vulnerable to an IDOR in the Servicecustom Client API: the __call method accepts an order_id and fetches the order without ensuring the authenticated client owns it, enabling cross-client access to other clients’ orders and exposing PII and service configuration data...

7.1CVSS5.8AI score0.00265EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 7:45 p.m.7 views

CVE-2025-64105

Summary: FOSSBilling

5.1CVSS5.8AI score0.00265EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 1:40 p.m.26 views

CVE-2026-6062

CVE-2026-6062 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, and 10.11.x ≤ 10.11.17. The issue is a logic flaw where the system fails to validate channel ownership of an existing subscription before applying edits, enabling an authenticated attacker to hijack subsc...

6.4CVSS5.9AI score0.00153EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/16 9:31 a.m.25 views

CVE-2026-8176 LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

7.5CVSS0.00349EPSS
Exploits0References22
Cvelist
Cvelist
added 2026/06/15 8:19 p.m.28 views

CVE-2026-52699 WordPress VikRentCar plugin <= 1.4.5 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References IDOR in VikRentCar = 1.4.5 versions...

7.5CVSS0.0023EPSS
Exploits0References1
Rows per page
Query Builder