CVE-2026-45248 Hedera Guardian Authentication Bypass Information Disclosure

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain...

Missing Authentication for Critical Function

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the objects/users.json.php process. An attacker can retrieve sensitive user information, including user IDs, displa...

CVE-2025-67796

IKUS Rdiffweb is affected by an improper authorization vulnerability (CVE-2025-67796) in versions prior to 2.10.6. The API fails to bind the authenticated subject to the targeted user/tenant, allowing a valid or stolen token to read or modify other users’ data and potentially perform privileged a...

CVE-2026-7491 Zyosoft｜School App - Insecure Direct Object Reference

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...

PT-2026-36200

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.8.4 Description An issue exists where any user can provide a flow id to read transaction logs and vertex build data belonging to other users. Additionally, this allows for the deletion of persisted...

CVE-2026-5750

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

Fullstep 安全漏洞

Fullstep is a corporate procurement and supply chain management platform developed by Fullstep Inc. The Fullstep V5 version contains a security vulnerability. This vulnerability stems from insecure direct object references during the registration process, which may allow authenticated users to...

CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

Authorization Bypass Through User-Controlled Key

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the save.json.php process. An attacker can access and exfiltrate confidential AI-generated metadata and...

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

PT-2026-23647

Name of the Vulnerable Software and Affected Versions Ghostfolio versions prior to 2.244.0 Description Ghostfolio is a wealth management software susceptible to arbitrary SQL command execution. An attacker can bypass symbol validation to execute SQL commands through the getHistorical method...

CVE-2026-27792

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...

OpenEMR Access Control Vulnerability

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Prior to OpenEMR 7.0.4, there was an access control...

CVE-2025-9615

CVE-2025-9615 affects NetworkManager. A flaw allows non-root users to configure the system network and enables access to files owned by other users, since the NetworkManager daemon runs with root privileges. The result is potential exposure of user-owned files due to misconfigured access to netwo...

CVE-2025-65784

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request...

CVE-2025-41077 Multiple vulnerabilities in Viafirma products

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality ...

CVE-2025-40773

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...

EUVD-2025-202199

OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users...

CVE-2025-61075

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls...

PT-2025-50207

Name of the Vulnerable Software and Affected Versions OpenSIS versions 9.2 and below Description An issue exists in OpenSIS that relates to incorrect access control within the Student.php component. An authenticated user with limited privileges can perform unauthorized database write operations...