CVE-2026-22404

CVE-2026-22404 affects Mikado-Themes Innovio WordPress theme (Innovio,

CVE-2026-22407 WordPress Roam theme <= 2.1.1 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through = 2.1.1...

CVE-2026-22404 WordPress Innovio theme <= 1.7 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through = 1.7...

CVE-2026-22406 WordPress Overton theme <= 1.3 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through = 1.3...

CVE-2026-22396

CVE-2026-22396 affects the WordPress Fiorello theme from Mikado-Themes up to version 1.0 (Fiorello). The vulnerability is described as an Authorization Bypass Through a User-Controlled Key, effectively an Insecure Direct Object References (IDOR) flaw that allows bypassing access control to sensit...

CVE-2026-22393 WordPress Curly theme <= 3.3 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Curly: from n/a through = 3.3...

CVE-2026-22398 WordPress Fleur theme <= 2.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through = 2.0...

CVE-2026-22398 WordPress Fleur theme <= 2.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through = 2.0...

CVE-2026-22391

CVE-2026-22391 is an authorization bypass (IDOR) affecting the WordPress plugin/theme Mikado-Themes Cocco cocco, specifically versions up to 1.5.1. The connected Red Hat/NVD entries repeat the description: Authorization Bypass Through User-Controlled Key due to incorrectly configured access contr...

CVE-2025-47555

CVE-2025-47555 is an Authorization Bypass in Themeum Tutor LMS (Tutor) caused by incorrect access control, allowing a user-controlled key to bypass restrictions. Affected: Tutor LMS versions up to 3.9.4 (n/a through

CVE-2025-10855 IDOR in Solvera Software's Teknoera

Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025...

CVE-2025-10024 IDOR in EXERT Computer Technologies' Education Management System

Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025...

CVE-2026-23964

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...

EUVD-2026-4210

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...

Nextcloud: IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos

Summary: An Insecure Direct Object Reference IDOR vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. Thi...

CVE-2026-23844

Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue...

CVE-2026-23843

teklifolusturapp is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference IDOR vulnerability exists in the offer view functionality. Authenticated users can...

WordPress Dokan plugin <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure vulnerability discovered by shark3y in WordPress Plugin Dokan versions = 4.2.4...

CVE-2025-14977

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...

CVE-2025-14977 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the /wp-json/dokan/v1/settings REST API endpoint due to missing validation on a...