Search Results (1899 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48759 1 Baptistearno 1 Typebot.io 2026-06-18 7.1 High
TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a non-guest member of the provided workspaceId, but then operate on themeTemplateId via Prisma queries that do NOT include workspaceId in the WHERE clause. This allows any authenticated user to modify or delete theme templates belonging to any other workspace and may expose Template IDs via shared typebots or network traffic. This issue has been fixed in version 3.16.0.
CVE-2026-50141 1 Woodpecker-ci 1 Woodpecker 2026-06-18 N/A
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged `agent_id` value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in favor of the client-supplied value. Version 3.14.1 patches the issue. As a workaround, disable org agents (`WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=true`) and delete existing ones.
CVE-2026-12102 2 Stiofansisland, Wordpress 2 Userswp – Front-end Login Form, User Registration, User Profile & Members Directory Plugin For Wp, Wordpress 2026-06-18 2.7 Low
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
CVE-2026-10023 2 Dokaninc, Wordpress 2 Dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy, Wordpress 2026-06-18 4.3 Medium
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download AJAX handlers due to missing ownership validation on a user-controlled order ID key. This makes it possible for authenticated attackers, with custom vendor-level access and above, to modify the status of arbitrary orders, add attacker-controlled notes to any order (including customer-facing notes that trigger WooCommerce notification emails to buyers), delete any order note or WordPress comment by ID regardless of ownership, inject fake shipping tracking information on any order, and grant or revoke downloadable-product permissions on any order in the marketplace. Critically, nonce validity is not a barrier to exploitation: each of these AJAX handlers generates and embeds its nonce on the authenticated vendor's own dashboard order pages (e.g., /dashboard/orders/?order_id=OWN_ORDER_ID), which the attacker legitimately controls. The attacker harvests a valid nonce from their own order detail page and replays it against a victim order ID — the nonce only proves the request originates from a logged-in session, not that the order belongs to that vendor. This directly rebuts the prior rejection reasoning that 'users cannot generate valid nonces on command': vendor users can and do generate valid nonces on demand simply by loading their own dashboard pages. Source-code analysis confirmed the vulnerable code path is present and unpatched through version 5.0.1.
CVE-2025-15657 2 Mojoomla, Wordpress 2 School Management, Wordpress 2026-06-17 5.3 Medium
Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.
CVE-2026-48783 1 Gitroomhq 1 Postiz-app 2026-06-17 4.8 Medium
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
CVE-2026-53863 1 Openclaw 1 Openclaw 2026-06-16 7.1 High
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.
CVE-2026-39518 2026-06-16 7.1 High
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
CVE-2026-48599 1 Elixir-grpc 1 Grpc 2026-06-16 N/A
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed. This issue affects grpc from 0.8.0 before 1.0.0.
CVE-2026-45830 2 Chroma, Trychroma 2 Chromadb, Chromadb 2026-06-16 8.8 High
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
CVE-2026-45832 2 Chroma, Trychroma 2 Chromadb, Chromadb 2026-06-16 8.8 High
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
CVE-2026-7787 2 Ibm, Langflow 2 Langflow Oss, Langflow 2026-06-16 7.5 High
IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.
CVE-2026-48872 2 Wordpress, Wpdeveloper 2 Wordpress, Embedpress 2026-06-16 7.5 High
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
CVE-2025-59133 2 Projectopia, Wordpress 2 Projectopia, Wordpress 2026-06-16 7.5 High
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
CVE-2026-52699 2026-06-16 7.5 High
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
CVE-2026-40792 2026-06-15 6.3 Medium
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
CVE-2026-1291 2 Tigroumeow, Wordpress 2 Meow Gallery, Wordpress 2026-06-15 4.3 Medium
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
CVE-2026-54361 1 Misp 1 Misp 2026-06-15 N/A
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id. An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data. The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths. Affected components: * CollectionsController::edit() * EventDelegationsController::delegateEvent() * ShadowAttributesController::edit() * TagCollectionsController::edit()915 * TagCollectionsController::editWithTags() Attack requirements: The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.
CVE-2026-54360 1 Misp 1 Misp 2026-06-15 N/A
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action
CVE-2026-12204 1 Shopxo 1 Shopxo 2026-06-15 7.3 High
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.