PT-2026-44204

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

CVE-2025-14755

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference IDOR in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccbwoocommercepayment AJAX...

FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...

PT-2026-34857

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex bccf admin int calendar list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2026-32894

CVE-2026-32894 affects Chamilo LMS. Affected: gradebook result view in Chamilo before 1.11.38 and 2.0.0-RC.3. Issue: Insecure Direct Object Reference (IDOR) allows any authenticated teacher to delete any student’s grade result across the platform by manipulating delete_mark or resultdelete GET pa...

CVE-2025-14974

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable due to Insecure Direct Object Reference IDOR...

CVE-2026-28529

cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the getuserbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of...

CVE-2026-28529

cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the getuserbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of...

CVE-2026-28529 cryptodev-linux <= 1.14 get_userbuf Use After Free LPE

cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the getuserbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of...

PT-2026-27766

cryptodev-linux version 1.14 and prior contain a page reference handling flaw in the get userbuf function of the /dev/crypto device driver that allows local users to trigger use-after-free conditions. Attackers with access to the /dev/crypto interface can repeatedly decrement reference counts of...

cryptodev-linux 资源管理错误漏洞

cryptodev-linux is an open-source Linux kernel encryption device driver developed by cryptodev-linux. Versions of cryptodev-linux prior to 1.14 contain a resource management vulnerability. This vulnerability stems from a page reference handling flaw in the getuserbuf function of the /dev/crypto...

CVE-2026-22404

CVE-2026-22404 affects Mikado-Themes Innovio WordPress theme (Innovio,

CVE-2025-12524

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type...

Bold Workplanner Insecure Direct Object Reference Vulnerability (CNVD-2025-24041)

Bold Workplanner is an enterprise software for human resource management from the Spanish company Bold Workplanner. Bold Workplanner suffers from an insecure direct object reference vulnerability that can be exploited by an attacker to access basic contract details using an unauthorized internal...

DEBIAN-CVE-2015-8385

PCRE before 8.38 mishandles the /?|\k'Pm'|?'Pm'/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service buffer overflow or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript...