CWE-639: CWE-639

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Siemens Teamcenter PLM software. Attackers can manipulate user-supplied...

FUEL CMS 1.4.7 contains an authorization bypass vulnerability that allows attackers to escalate privileges to super admin level by manipulating 'id' a...

This vulnerability in KubeVirt Containerized Data Importer (CDI) allows authenticated users to clone PersistentVolumeClaims from namespaces they shoul...

An Insecure Direct Object Reference (IDOR) vulnerability in the vehicleId parameter allows attackers to bypass authorization and access sensitive data...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments scheduling software. It allows low-privileged use...

This vulnerability in StrongKey FIDO Server allows authentication bypass by incorrectly treating non-discoverable credential flows as discoverable tra...

Dell NetWorker versions 19.10 contain an authorization bypass vulnerability where an unauthenticated attacker can manipulate user-controlled keys to a...

This CVE describes an authorization bypass vulnerability in OneUptime where attackers can manipulate client-side stored data to gain administrative pr...

An Insecure Direct Object Reference (IDOR) vulnerability in ZKTeco ZEM800 version 6.60 allows local attackers to access sensitive backup and configura...

This vulnerability allows unauthenticated attackers to access Stripe SetupIntent client_secret values for any membership in the Restrict Content WordP...

This vulnerability in Strapi allows attackers to access private fields like admin passwords and reset tokens by crafting malicious queries with the lo...

This vulnerability allows unauthenticated attackers to bypass authorization in the WooCommerce GoCardless payment gateway plugin by manipulating user-...

This vulnerability allows authenticated attackers with Tutor Instructor-level access or higher to modify or delete arbitrary courses they do not own b...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Tutor LMS WordPress plugin that allows attackers to bypass authorizatio...

An Insecure Direct Object Reference (IDOR) vulnerability in Viafirma Inbox v4.5.13 allows authenticated users without privileges to list all users, ac...

This vulnerability allows attackers to bypass authorization controls in Woffice Core by manipulating user-controlled keys, potentially accessing unaut...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Eagle Booking WordPress plugin that allows attackers to bypass auth...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Google Calendar Events WordPress plugin. Attackers can bypass autho...

This vulnerability allows attackers to bypass authorization controls in WP Swings Membership For WooCommerce by manipulating user-controlled keys, pot...

AVideo versions before 20.1 contain an insecure direct object reference vulnerability that allows authenticated users with upload permissions to modif...

This CVE describes an authorization bypass vulnerability in Apache Fineract where attackers can manipulate user-controlled keys to access unauthorized...

Multiple incorrect access control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow authenticated low-privileged users to perfor...

An improper authorization vulnerability in Rallly allows any authenticated user to reopen finalized polls belonging to other users by manipulating the...

An Insecure Direct Object Reference vulnerability in Syaqui Collegetivity v1.0.0 allows attackers to impersonate other users by manipulating POST requ...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal and DXP that allows authenticated users to access, creat...

An authorization bypass vulnerability in Salesforce Tableau Server allows attackers to manipulate the validate-initial-sql API modules to gain unautho...

CVE-2025-25282 is an Insecure Direct Object Reference (IDOR) vulnerability in RAGFlow that allows authenticated users to access and modify other tenan...

This vulnerability in the Sirv WordPress plugin allows authenticated attackers with Contributor-level access or higher to delete arbitrary WordPress o...

This IDOR vulnerability in lunary-ai/lunary version 1.3.2 allows authenticated users to view or delete external user accounts by manipulating the 'id'...

CVE-2024-38447 is an Insecure Direct Object Reference vulnerability in NATO NCI ANET 3.4.1 that allows attackers to access private draft reports belon...

An improper access control vulnerability in lunary-ai/lunary version 1.2.2 allows users to view and update any prompts in any projects due to insuffic...

CVE-2023-44154 is an authorization bypass vulnerability in Acronis Cyber Protect 15 that allows unauthorized users to access and manipulate sensitive ...

CVE-2023-28656 is an authorization bypass vulnerability in NGINX Management Suite that allows authenticated users to access configuration objects outs...

This vulnerability in Peppermint v0.2.4 allows attackers to bypass authorization and access sensitive email and password data from the Tickets page th...

This vulnerability allows unauthorized user groups to access restricted functionality in SMA SUNNY TRIPOWER 5.0 inverters due to insecure cookie handl...

An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows authenticated attackers to access and modify unauthorized system area...

The Logo Carousel WordPress plugin before version 3.4.2 contains an authorization bypass vulnerability that allows users with Contributor-level permis...

CVE-2021-39225 is an authorization bypass vulnerability in Nextcloud Deck that allows authenticated users to access other users' Deck cards without pr...

An authorization bypass vulnerability in Salesforce Tableau Server allows attackers to manipulate interface parameters and gain unauthorized access to...

This IDOR vulnerability in Codeastro Bus Ticket Booking System v1.0 allows attackers to access other users' profiles by manipulating user IDs in URLs....

This CVE describes an authorization bypass vulnerability in FortiOS and FortiProxy SSL-VPN that allows authenticated attackers to access other users' ...

This vulnerability allows malicious apps to trick Android's authentication system into using one app's approval for another app's privileged operation...

An Insecure Direct Object Reference (IDOR) vulnerability in Issuetrak v17.2.2 and earlier allows low-privileged authenticated users to access audit re...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments system where a low-privileged user can create add...

This Broken Object Level Authorization (BOLA) vulnerability allows low-privileged users to create services for any user in the system, including admin...

This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments scheduling system. It allows any authenticated lo...

This vulnerability allows attackers to bypass authorization mechanisms in ApplyLogic by manipulating user-controlled keys, potentially gaining unautho...

This vulnerability allows attackers to bypass authorization mechanisms in Aksis AxOnboard software by manipulating user-controlled keys or identifiers...

OpenClaw versions before 2026.2.14 have a webhook routing vulnerability in the Google Chat monitor component that allows attackers to misroute webhook...

CVE-2026-24773 is an Insecure Direct Object Reference (IDOR) vulnerability in Open eClass (formerly GUnet eClass) that allows unauthenticated attacker...