CWE-639: CWE-639

The Wishlist for WooCommerce WordPress plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to modify ot...

This vulnerability allows authenticated users in Revive Adserver to delete advertising banners belonging to other user accounts due to missing authori...

An Insecure Direct Object Reference (IDOR) vulnerability in Rallly allows authenticated users to change other participants' display names in polls wit...

Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in appointment cancellation functionality. This allows atta...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the Rometheme RTMKit WordPress plugin that allows attackers to bypass a...

This vulnerability allows attackers to bypass authorization controls in AHE Mobile by manipulating user-controlled keys, potentially enabling privileg...

This vulnerability allows attackers to bypass authorization controls in PROLIZ OBS Student Affairs Information System by manipulating user-controlled ...

This CVE describes an authorization bypass vulnerability in Beefull Energy Technologies' Beefull App where attackers can manipulate user-controlled ke...

An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized users to access and download other users' p...

This vulnerability in flaskBlog allows any authenticated user to delete arbitrary comments belonging to other users by manipulating the commentID para...

The femanager extension for TYPO3 contains an Insecure Direct Object Reference vulnerability that allows attackers to modify user data without proper ...

This vulnerability in CVAT allows authenticated users with 'user' role to access other users' uploaded files during project/task backup imports by exp...

This vulnerability in iTop allows authenticated users with portal access to view objects they shouldn't have permission to access by querying an unpro...

The WordPress Simple Shopping Cart plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to access and ma...

Unauthenticated attackers can trigger device actions associated with specific 'scenes' of arbitrary users, allowing them to manipulate smart home or I...

CVE-2025-32373 is an authorization bypass vulnerability in DNN CMS where registered users can craft requests to enumerate or access portal files they ...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in LibreChat's delete attachments functionality. Authenticated users can d...

This vulnerability allows attackers to access sensitive student information by manipulating the studentId parameter in the /getStudemtAllDetailsById A...

Coolify versions before 4.0.0-beta.361 have an authorization flaw where any authenticated user can revoke any team invitation by guessing predictable ...

This vulnerability allows authenticated attackers in SAP Business Workflow and SAP Flexible Workflow to manipulate parameters in legitimate requests t...

CVE-2024-9819 is an authorization bypass vulnerability in NextGeography NG Analyser that allows attackers to access functionality they shouldn't have ...

This vulnerability in the User Meta WordPress plugin allows authenticated attackers with Contributor-level access or higher to access user meta data t...

An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows authenticated users to modify other users' prompts by manipulating...

This vulnerability allows authenticated users in self-hosted Sentry deployments to delete issue alert notifications belonging to other users if they k...

This vulnerability allows attackers to exploit the user invitation system in lunary-ai/lunary to obtain valid JWT tokens and perform account takeover....

This vulnerability in Reedos aiM-Star version 2.0.1 allows authenticated attackers to bypass access controls on certain API endpoints by manipulating ...

This vulnerability allows authenticated attackers in TechExcel Back Office Software to bypass access controls on API endpoints by manipulating URL par...

This vulnerability in lib9p's 9p authentication implementation allows an authenticated attacker to impersonate any other valid filesystem user by expl...

This vulnerability allows attackers to bypass authorization controls in upKeeper Manager by manipulating user-controlled keys in REST API requests, po...

This vulnerability in Apache Flink allows authenticated regular users to bypass authorization controls and access sensitive user information they shou...

This vulnerability in ExtremePacs Extreme XDS allows attackers to bypass authorization controls by manipulating user-provided keys, potentially access...

This vulnerability in Kiuwan SAST allows authenticated users to access information about applications they shouldn't have permission to view. The API ...

An Insecure Direct Object Reference vulnerability in Google Cloud Looker allows authenticated users sharing the same LookML model to access metadata t...

This vulnerability allows authenticated attackers with Instructor-level permissions or higher in Tutor LMS WordPress plugin to delete any course witho...

An authenticated attacker can exploit an Indirect Object Reference (IDOR) vulnerability in Security Center's 'owner' parameter to escalate privileges....

This vulnerability allows attackers to bypass authorization controls by manipulating user-controlled variables in Farktor Software's E-Commerce Packag...

This vulnerability in Nextcloud Tables allows authenticated malicious users to move columns they created into other users' tables without authorizatio...

This vulnerability in PosCube Assist software allows attackers to bypass authentication using hard-coded credentials or user-controlled keys. It affec...

TrueFiling, a cloud-hosted electronic filing system for legal documentation, had an authorization bypass vulnerability where authenticated users could...

This CVE describes an authorization bypass vulnerability in Logo Software Inc.'s Logo Cloud platform where attackers can access resources by manipulat...

An improper authorization vulnerability in RICOH Streamline NX allows man-in-the-middle attackers to retrieve user registration information and OIDC t...

This vulnerability involves insecure handling of SSH keys during client bootstrap processes, allowing local attackers to potentially access these keys...

This CVE describes an insecure direct object reference vulnerability where non-admin users can modify or delete data objects they shouldn't have acces...

This vulnerability allows attackers to bypass authorization controls in QR Menu Pro Smart Menu Systems Menu Panel by manipulating user-controlled iden...

This vulnerability allows an attacker with local access and arbitrary code execution privileges in AMD's Secure Processor (ASP) to extract cryptograph...

This vulnerability allows attackers to bypass authorization controls in VHS Electronic Software's ACE Center by manipulating user-controlled keys, pot...

This CVE describes an authorization bypass vulnerability in Academy LMS WordPress plugin where attackers can access unauthorized resources by manipula...

This vulnerability allows authenticated regular users in Vaultwarden to access other users' encrypted password vault entries by exploiting an authoriz...

Tronclass by WisdomGarden has an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers to join any course by manip...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the PawFriends WordPress theme that allows attackers to bypass authoriz...