4453 matches found
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the fee sheet product save logic library/FeeSheet.class.php allows any authenticated user with fee sheet ACL...
EUVD-2025-209022
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...
CVE-2025-14974 IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...
CVE-2025-14974 IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...
CVE-2025-14974
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...
CVE-2025-14974
CVE-2025-14974 affects IBM InfoSphere Information Server 11.7.0.0–11.7.1.6 and is caused by insecure direct object reference (IDOR). Potential impact: unauthorized access to protected objects with high confidentiality impact as per sources. Affected versions and remediation are documented in IBM’...
CVE-2026-32535 WordPress JS Help Desk plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through = 3.0.3...
CVE-2026-32533 WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through = 5.2.6...
CVE-2025-69347 WordPress WPSubscription plugin <= 1.8.10 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSubscription: from n/a through = 1.8.10...
PT-2026-28112
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...
PT-2026-28148
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment...
Security Bulletin: IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference (CVE-2025-14974)
Summary A vulnerability due to Insecure Direct Object Reference in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2025-14974 DESCRIPTION: IBM InfoSphere Information Server is vulnerable due to Insecure Direct Object Reference IDOR. CWE:CWE-639: Authorization Bypa...
CVE-2026-33678
Vikunja prior to 2.2.1 suffers an IDOR: TaskAttachment.ReadOne() queries by attachment ID only and ignores the URL task_id, allowing any authenticated user to access or delete attachments across projects by supplying their own task_id. The read path validates the URL task, but ReadOne() loads the...
CVE-2026-33484
Langflow exposes an unauthenticated IDOR on image downloads via /api/v1/files/images/{flow_id}/{file_name} in versions 1.0.0–1.8.1. An attacker who can discover or guess a flow_id can download any user’s uploaded images without credentials in multi-tenant deployments. A patch is available in vers...
CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...
GHSA-F35R-V9X5-R8MC New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...
CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...
CVE-2026-30886
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...
CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...