CVE-2025-51867

CVE-2025-51867 affects Deepfiction AI and is an Insecure Direct Object Reference (IDOR) vulnerability exploiting the /browse/stories endpoint to let an attacker chat with the LLM using other users’ credits. Root cause: improper access controls exposing sensitive information tied to user credits. ...

PT-2025-30420 · Telegai · Telegai

Name of the Vulnerable Software and Affected Versions: TelegAI versions through 2025-05-26 Description: An Insecure Direct Object Reference IDOR vulnerability exists in the chat component of TelegAI. This allows an attacker to tamper with other users' conversations. Additionally, malicious conten...

TYPO3 powermail 安全漏洞

TYPO3 powermail is a mail form extension for TYPO3 open source. A security vulnerability exists in TYPO3 powermail versions 12.0.0 through 12.5.2 and 13.0.0, which stems from an insecure direct object reference that could lead to the download of arbitrary files from a web server...

CVE-2025-51865

Ai2 playground web service playground.allenai.org LLM chat through 2025-06-03 is vulnerable to Insecure Direct Object Reference IDOR, allowing attackers to gain sensitvie information via enumerating thread keys in the URL...

PT-2025-30395 · Typo3 · Femanager

Name of the Vulnerable Software and Affected Versions: femanager versions 6.4.1 and below femanager versions 7.0.0 through 7.5.2 femanager versions 8.0.0 through 8.3.0 Description: The femanager extension for TYPO3 contains an Insecure Direct Object Reference issue, which allows unauthorized...

CVE-2025-51869

Insecure Direct Object Reference IDOR vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted spaceid, threadid, and messageid parameters to the v1/space/spaceid/thread/threadid/message/messageid endpoint...

CVE-2025-51868

Insecure Direct Object Reference IDOR vulnerability in Dippy chat.dippy.ai v2 allows attackers to gain sensitive information via the conversationid parameter to the conversationhistory endpoint...

CVE-2025-51868

CVE-2025-51868 describes an Insecure Direct Object Reference (IDOR) in Dippy v2. An attacker can access sensitive information through the conversation_id parameter of the conversation_history endpoint, leading to disclosure of other users’ conversation histories. Affected: Dippy version 2 (chat.d...

Deepfiction AI Insecure Direct Object Reference

Deepfiction AI is an AI entertainment company with a mission to revolutionize personalized storytelling. Deepfiction AI provides a web application to create stories via chat and is susceptible to an insecure direct object reference vulnerability. An attacker can exploit this IDOR to chat with the...

ChatPlayground.ai Cross Site Scripting / Insecure Direct Object Reference

ChatPlayground.ai is a popular web application for comparing AI models. A cross site scripting vulnerability exists in the chat component. This can lead to JWT token theft and remote account hijacking. Additionally, the /api/chat-history endpoint exhibits weak access control allowing for insecure...

CVE-2025-51869

Insecure Direct Object Reference IDOR vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted spaceid, threadid, and messageid parameters to the v1/space/spaceid/thread/threadid/message/messageid endpoint...

CVE-2025-51868

Insecure Direct Object Reference IDOR vulnerability in Dippy chat.dippy.ai v2 allows attackers to gain sensitive information via the conversationid parameter to the conversationhistory endpoint...

PT-2025-30339 · Dippy · Dippy

Name of the Vulnerable Software and Affected Versions: Dippy version 2 Description: An Insecure Direct Object Reference IDOR vulnerability exists in Dippy that allows attackers to gain sensitive information. The vulnerability is present in the conversation history API endpoint and is exploitable...

CVE-2025-51868

Insecure Direct Object Reference IDOR vulnerability in Dippy chat.dippy.ai v2 allows attackers to gain sensitive information via the conversationid parameter to the conversationhistory endpoint...

CVE-2025-5816

The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the getorderdetail due to missing validation on a user controlled key. This makes it possible for...

Exploit for CVE-2025-51862

CVE-2025-51862 Vulnerability description TelegAI, a web...

Exploit for CVE-2025-51859

CVE-2025-51859 Vulnerability description Chaindesk, a w...

PYSEC-2025-181

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.6.6, an IDOR vulnerability in the GrapQL NotificationLineNotificationMarkReadMutation and NotificationLineNotificationDeleteMutation mutations of OpenCTI allows an authenticated...

CVE-2025-5816

The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the getorderdetail due to missing validation on a user controlled key. This makes it possible for...

CVE-2025-5816 Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details

The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the getorderdetail due to missing validation on a user controlled key. This makes it possible for...