Lucene search
K

729 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.10 views

CVE-2026-10597

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS5.5AI score0.00244EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.9 views

CVE-2026-6810

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dexbccfadminintcalendarlist.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated...

5.3CVSS5.5AI score0.0033EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.12 views

CVE-2026-6566

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

4.3CVSS5.4AI score0.00264EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.9 views

CVE-2026-24753

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade...

6.5CVSS5.5AI score0.00174EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.10 views

CVE-2026-20219

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed...

5.4CVSS5.6AI score0.00168EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.8 views

CVE-2026-4160

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submissionid' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validatio...

5.3CVSS5.5AI score0.00305EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.8 views

CVE-2026-4654

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpasgetticketrepliesajax function failing to verify whether the authenticated user has permission to view th...

5.3CVSS5.4AI score0.00327EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.8 views

CVE-2026-34602

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/courserelusers endpoint is vulnerable to Insecure Direct Object Reference IDOR, allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into...

7.1CVSS5.5AI score0.00203EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.10 views

CVE-2026-9493

Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details...

7.1CVSS5.5AI score0.00259EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.10 views

CVE-2026-45342

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists...

7.1CVSS5.4AI score0.00225EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.8 views

CVE-2026-40866

Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload...

8.6CVSS5.5AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/04 5:43 a.m.44 views

CVE-2026-49192 Summary Service Insecure Direct Object Reference

The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping...

5.3CVSS0.00138EPSS
Exploits0References1
NVD
NVD
added 2026/06/04 3:16 a.m.11 views

CVE-2026-10597

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/04 2:19 a.m.8 views

CVE-2026-10597

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS5.8AI score0.00244EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/01 9:52 p.m.10 views

EUVD-2026-33840

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource...

3.7CVSS5.8AI score0.00142EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/01 9:51 p.m.11 views

EUVD-2026-33839

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/01 6:11 p.m.16 views

EUVD-2026-33742

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient...

6.5CVSS5.8AI score0.00184EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/01 2:19 p.m.18 views

praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR

Summary Type: Insecure Direct Object Reference. The comment endpoints POST /workspaces/workspaceid/issues/issueid/comments and GET .../comments gate access on requireworkspacememberworkspaceid only, then call CommentService.createissueid=issueid, ... and CommentService.listforissueissueid without...

5.9AI score0.00032EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.13 views

PT-2026-45651

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.3.0 Description An Insecure Direct Object Reference IDOR issue in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users. This occurs due to insufficie...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References4
OSV
OSV
added 2026/05/29 10:45 p.m.6 views

GHSA-4X6R-9V57-3GQW praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks

Summary Type: Insecure Direct Object Reference. The dependency endpoints POST/GET /workspaces/workspaceid/issues/issueid/dependencies and DELETE .../dependencies/depid gate access on requireworkspacememberworkspaceid only, then dispatch to DependencyService calls that take URL/body-supplied issue...

8.1CVSS5.9AI score0.00032EPSS
Exploits0References2
Rows per page
Query Builder