Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPaused
CVE-2026-6810 Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover — Booking Calendar Contact Form 5.3 Medium2026-04-24
CVE-2026-2028 Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter — MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites 5.3 Medium2026-04-24
CVE-2026-31956 Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization — xibo-cms 4.3 Medium2026-04-24
CVE-2026-6375 Authorization bypass through User-Controlled key in SpiceJet Online Booking System — Online Booking System 5.3AIMediumAI2026-04-23
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials — Flowise 8.2AIHighAI2026-04-23
CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association — Flowise 8.1 High2026-04-23
CVE-2025-66286 Webkitgtk: authorization bypass through webpage::send-request signal handler — Red Hat Enterprise Linux 6 4.7 Medium2026-04-23
CVE-2018-25270 ThinkPHP 5.0.23 Remote Code Execution via invokefunction — ThinkPHP 9.8 Critical2026-04-22
CVE-2026-5750 Insecure direct object reference (IDOR) vulnerability in Fullstep — Fullstep 6.5AIMediumAI2026-04-22
CVE-2026-41127 BigBlueButton's missing authorization allows viewer to inject/overwrite captions — bigbluebutton 6.5 Medium2026-04-21
CVE-2026-5845 Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server — Enterprise Server 8.1AIHighAI2026-04-21
CVE-2026-3307 Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers — Enterprise Server 2.7AILowAI2026-04-21
CVE-2026-40907 WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens — AVideo 6.5 Medium2026-04-21
CVE-2026-40591 FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification — freescout 7.1 High2026-04-21
CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer — freescout 4.3 Medium2026-04-21
CVE-2026-40589 FreeScout has Customer Edit Cross-Mailbox Email Takeover — freescout 7.6 High2026-04-21
CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII — freescout 4.3AIMediumAI2026-04-21
CVE-2026-5652 Authorization Bypass Through User-Controlled Key in Crafty Controller — Crafty Controller 9.0 Critical2026-04-21
CVE-2026-6614 TransformerOptimus SuperAGI project.py get_projects_organisation authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6613 TransformerOptimus SuperAGI agent.py get_schedule_data authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6612 TransformerOptimus SuperAGI Agent Execution Endpoint agent_execution.py update_agent_execution authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6586 TransformerOptimus SuperAGI Budget Endpoint budget.py update_budget authorization — SuperAGI 6.3 Medium2026-04-19
CVE-2026-6585 TransformerOptimus SuperAGI Organisation Update Endpoint organisation.py update_organisation authorization — SuperAGI 5.4 Medium2026-04-19
CVE-2026-6584 TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization — SuperAGI 5.4 Medium2026-04-19
CVE-2026-6583 TransformerOptimus SuperAGI API Key Management Endpoint api_key.py edit_api_key authorization — SuperAGI 5.4 Medium2026-04-19
CVE-2026-6571 kodcloud KodExplorer systemRole.class.php roleGroupAction authorization — KodExplorer 6.3 Medium2026-04-19
CVE-2026-6570 kodcloud KodExplorer systemMember.class.php initInstall authorization — KodExplorer 2.7 Low2026-04-19
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` — CRM 6.5AIMediumAI2026-04-17
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID — LatePoint – Calendar Booking Plugin for Appointments and Events 5.3 Medium2026-04-17
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog — my-calendar 7.5AIHighAI2026-04-16

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.