CWE-639: CWE-639

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on specific API endpoints and impersonate legitimate user...

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate devices in Siemens Industrial Edge Management systems by...

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that allows attackers to manipulate parameters and gain ...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments scheduling software. It allows low-privileged use...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in Easy!Appointments that allows low-privileged users to access, modify, o...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in Easy!Appointments where low-privileged users can access, modify, or del...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in Easy!Appointments that allows low-privileged users to access, modify, o...

EspoCRM 5.8.5 contains an authentication bypass vulnerability that allows attackers to access other user accounts by manipulating authorization header...

This vulnerability allows unauthenticated attackers to change any user's password in the Academy LMS WordPress plugin, including administrator account...

This vulnerability allows unauthenticated attackers to access the OPEXUS eCasePortal 'Attachments.aspx' endpoint, manipulate predictable 'formid' valu...

The Optional Email WordPress plugin contains a privilege escalation vulnerability that allows unauthenticated attackers to reset any user's password, ...

The Branda WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset passwords for any user account, ...

This CVE describes an insecure direct object reference vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco v2.x systems that allows attackers to bypass aut...

CVE-2023-53914 is an authentication bypass vulnerability in UliCMS 2023.1 that allows unauthenticated attackers to create administrative accounts with...

An Insecure Direct Object Reference (IDOR) vulnerability in Pagekit CMS v1.0.18 allows attackers to manipulate object references (like user IDs) to es...

This vulnerability in the StreamTube Core WordPress plugin allows unauthenticated attackers to change user passwords, including administrator accounts...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Miraculous Core WordPress plugin that allows attackers to bypass au...

The Truelysell Core WordPress plugin allows unauthenticated attackers to change user passwords, including administrator accounts, through an authoriza...

The Service Finder Bookings WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to take over any user ac...

System PDV v1.0 contains an Insecure Direct Object Reference (IDOR) vulnerability that allows remote attackers to access sensitive information by mani...

The Service Finder Bookings WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any user, i...

The WPBookit WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to change any user's email and password...

The WP JobHunt WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset any user's password, includi...

The WPBookit WordPress plugin vulnerability allows unauthenticated attackers to change any user's password, including administrators, by bypassing aut...

This vulnerability allows attackers to bypass authorization controls in the WordPress Meetup plugin by manipulating user-controlled keys, potentially ...

This vulnerability allows unauthenticated attackers to reset emails and passwords of any user account in the WP Timetics plugin, including administrat...

This vulnerability allows unauthenticated attackers to change any WordPress user's password, including administrators, without knowing the current pas...

The REST API TO MiniProgram WordPress plugin has a critical privilege escalation vulnerability that allows unauthenticated attackers to update any use...

The WP-Recall plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to reset any user's password by supplying their ...

This vulnerability allows remote attackers to bypass authorization checks in Friendica's calendar event feature, potentially accessing sensitive infor...

This CVE describes an authentication bypass vulnerability in the SSH service of gost v2.11.5. Attackers can intercept communications by setting the Ho...

This CVE describes an authorization bypass vulnerability in Talya Informatics Travel APPS where attackers can manipulate user-controlled keys to acces...

CVE-2023-43668 is an authorization bypass vulnerability in Apache InLong that allows attackers to manipulate user-controlled parameters to bypass secu...

CVE-2023-2958 is an authorization bypass vulnerability in Origin Software ATS Pro that allows attackers to bypass authentication mechanisms by manipul...

This vulnerability allows attackers to intercept modem commands in the atcmdserver module on affected Huawei devices. Attackers can exploit this to re...

This vulnerability allows unauthenticated attackers to bypass authorization in the WCFM Membership plugin for WordPress, enabling them to change user ...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in oretnom23 Automotive Shop Management System v1.0 that allows attackers ...

CVE-2022-0691 is an authorization bypass vulnerability in the url-parse npm package where attackers can manipulate URL parsing to bypass authorization...

CVE-2022-22832 is an authorization bypass vulnerability in Servisnet Tessa where unauthenticated users can access sensitive user data via the /data-se...

This vulnerability allows unauthenticated attackers to upload arbitrary files (including HTML and CGI scripts) to the TLR-2005KSH device via the enabl...

CVE-2021-44949 is an access control vulnerability in glFusion CMS that allows unauthorized access to user management functions via the /public_html/us...

An unauthenticated attacker can change any user's password in Siemens Industrial Edge Management systems, allowing impersonation of valid users. This ...

CVE-2021-32744 is an Insecure Direct Object Reference (IDOR) vulnerability in Collabora Online that allows unauthenticated attackers to access files c...

This CVE describes an authorization bypass vulnerability in the WP Job Portal WordPress plugin where attackers can manipulate user-controlled keys to ...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in SunGrow iSolarCloud's powerStationService API model. Attackers can mani...

SunGrow iSolarCloud versions before October 31, 2024 contain an insecure direct object reference (IDOR) vulnerability in the devService API model. Thi...

This vulnerability allows attackers to bypass authorization and access unauthorized organizational data through the orgService API in SunGrow iSolarCl...

This vulnerability allows attackers to bypass authorization controls in SunGrow iSolarCloud's userService API, enabling unauthorized access to other u...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Anapi Group's h6web software that allows authenticated attackers to acc...

CVE-2024-49388 is an authorization bypass vulnerability in Acronis Cyber Protect 16 that allows attackers to manipulate sensitive information without ...