CVE-2026-8611

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

PT-2026-47141

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2026-28685

CVE-2026-28685 : Kimai’s API endpoint GET /api/invoices/{id} lacked customer-level access control. Before v2.51.0, the API checked only the role-based view_invoice permission, allowing any user with the ROLE_TEAMLEAD to read invoices for any customer, breaking data isolation. The Red Hat/NVD/NVD-...

CVE-2026-28685 Kimai: API invoice endpoint missing customer-level access control (IDOR)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...

CVE-2026-28685 Kimai: API invoice endpoint missing customer-level access control (IDOR)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...

GHSA-V33R-R6H2-8WR7 Kimai's API invoice endpoint missing customer-level access control (IDOR)

Summary GET /api/invoices/id only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read all invoices in the system, including those belonging to customers assigned to...

Kimai's API invoice endpoint missing customer-level access control (IDOR)

Summary GET /api/invoices/id only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read all invoices in the system, including those belonging to customers assigned to...

PT-2026-23088

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.51.0 Description Kimai is a web-based multi-user time-tracking application. The GET /api/invoices/id API endpoint only verifies the role-based view invoice permission but does not confirm that the requesting user has...

EUVD-2021-21980

Malware in sbrugna...

EUVD-2025-12121

Malicious code in bioql PyPI...

CVE-2025-40673

CVE-2025-40673 describes a Missing Authorization vulnerability in DinoRANK, enabling access to any user’s invoices via the endpoint /facturas/YYYY-MM/SDRYYMM-XXXXX.pdf due to absent access control. The PDF filename can be learned through OSINT, insecure traffic, or brute force. Documented impact ...

DinoRANK 安全漏洞

DinoRANK is an SEO platform from DinoRANK, Inc. A security vulnerability exists in DinoRANK that stems from a lack of authorization and could lead to an attacker accessing any user's invoices...

CVE-2020-16194

An Insecure Direct Object Reference IDOR vulnerability was found in Prestashop Opart devis 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the deliveryaddress and invoiceaddress fields...

CVE-2016-11006

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admininit settings changes...

CVE-2016-11008

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpipaypal payer metadata updates...

WordPress plugin Woocommerce Automatic Order Printing 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the invoice function in Orders.php. A user can access and generate invoices without authorization. Remediation Upgrade tastyigniter/tastyigniter to version 4.0.0 or higher. References - Medium Blog - Vulnerable...

TastyIgniter 安全漏洞

TastyIgniter is an online ordering software from TastyIgniter open source. A security vulnerability exists in TastyIgniter version 3.7.6, which stems from improper access control of the invoice function in Orders.php, which could lead to unauthorized users accessing and generating invoices...

MyFinances Security Vulnerabilities

MyFinances is an open source web application from TreyWW Open Source. Designed to enable individuals and teams to manage their finances effectively. A security vulnerability exists in versions of MyFinances prior to 0.4.6 that stems from a method to access other customer invoices while logged in ...

PT-2024-27813 · Unknown · Myfinances

Name of the Vulnerable Software and Affected Versions: MyFinances versions prior to 0.4.6 Description: The issue allows an actor to access personally identifiable information PII and financial information from another account while signed in as a user. This is due to a method in the application...