CVE-2026-25147 OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in portal/portalpayment.php, the patient id used for the page is taken from the request $pid = $REQUEST'pid' ?? $pid and $pid = $REQUEST'hiddenpatientcode' ?? null 0 ?...

EUVD-2026-9036

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in portal/portalpayment.php, the patient id used for the page is taken from the request $pid = $REQUEST'pid' ?? $pid and $pid = $REQUEST'hiddenpatientcode' ?? null 0 ?...

EUVD-2026-8995

The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference IDOR in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permissioncallback being set to returntrue and a lack of subsequen...

CVE-2026-1558

The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference IDOR in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permissioncallback being set to returntrue and a lack of subsequen...

CVE-2026-1558 WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter

The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference IDOR in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permissioncallback being set to returntrue and a lack of subsequen...

CVE-2026-1558

Summary of CVE-2026-1558 (WP Recipe Maker

CVE-2026-2356

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'registermember' function, due to missing validation on the 'memberid' user...

WordPress WP Recipe Maker plugin <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter vulnerability

Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin WP Recipe Maker versions = 10.3.2...

CVE-2026-28217

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-28225 Manyfold has IDOR in ModelFilesController

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the getmodel method in ModelFilesController line 158-160 loads models using Model.findparamparams:modelid without policyscope, bypassing...

CVE-2026-28217

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

EUVD-2026-8914

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

EUVD-2026-8907

wger: IDOR in nutritionalvalues endpoints exposes private dietary data via direct ORM lookup...

GHSA-42CR-W2GR-M54Q wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

Summary Five routine detail action endpoints check a cache before calling self.getobject. Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership...

EUVD-2026-8906

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data...

CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three nutritionalvalues action endpoints fetch objects via Model.objects.getpk=pk — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition...

CVE-2026-27839

CVE-2026-27839 affects wger up to version 2.4, where three nutritional_values endpoints fetch objects via Model.objects.get(pk=pk) instead of using a user-scoped queryset. This allows any authenticated user to read another user’s private nutrition data (caloric intake and full macro breakdown) by...

CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...