Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1038

1038 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-41372 OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery — OpenClaw 5.8 Medium2026-04-27
CVE-2026-28747 Milesight Cameras Authorization Bypass Through User-Controlled Key — MS-Cxx63-PD 7.1 High2026-04-27
CVE-2026-7145 mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization — sendportal 5.4 Medium2026-04-27
CVE-2026-7144 1000 Projects Portfolio Management System MCA update_passwd_process.php authorization — Portfolio Management System MCA 4.3 Medium2026-04-27
CVE-2025-15626 Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application — Crotchet and Knitting--2026-04-27
CVE-2026-6810 Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover — Booking Calendar Contact Form 5.3 Medium2026-04-24
CVE-2026-2028 Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter — MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites 5.3 Medium2026-04-24
CVE-2026-31956 Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization — xibo-cms 4.3 Medium2026-04-24
CVE-2026-6375 Authorization bypass through User-Controlled key in SpiceJet Online Booking System — Online Booking System 5.3AIMediumAI2026-04-23
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials — Flowise 8.2AIHighAI2026-04-23
CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association — Flowise 8.1 High2026-04-23
CVE-2025-66286 Webkitgtk: authorization bypass through webpage::send-request signal handler — Red Hat Enterprise Linux 6 4.7 Medium2026-04-23
CVE-2018-25270 ThinkPHP 5.0.23 Remote Code Execution via invokefunction — ThinkPHP 9.8 Critical2026-04-22
CVE-2026-5750 Insecure direct object reference (IDOR) vulnerability in Fullstep — Fullstep 6.5AIMediumAI2026-04-22
CVE-2026-41127 BigBlueButton's missing authorization allows viewer to inject/overwrite captions — bigbluebutton 6.5 Medium2026-04-21
CVE-2026-5845 Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server — Enterprise Server 8.1AIHighAI2026-04-21
CVE-2026-3307 Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers — Enterprise Server 2.7AILowAI2026-04-21
CVE-2026-40907 WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys and OAuth Tokens — AVideo 6.5 Medium2026-04-21
CVE-2026-40591 FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification — freescout 7.1 High2026-04-21
CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer — freescout 4.3 Medium2026-04-21
CVE-2026-40589 FreeScout has Customer Edit Cross-Mailbox Email Takeover — freescout 7.6 High2026-04-21
CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII — freescout 4.3AIMediumAI2026-04-21
CVE-2026-5652 Authorization Bypass Through User-Controlled Key in Crafty Controller — Crafty Controller 9.0 Critical2026-04-21
CVE-2026-6614 TransformerOptimus SuperAGI project.py get_projects_organisation authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6613 TransformerOptimus SuperAGI agent.py get_schedule_data authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6612 TransformerOptimus SuperAGI Agent Execution Endpoint agent_execution.py update_agent_execution authorization — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6586 TransformerOptimus SuperAGI Budget Endpoint budget.py update_budget authorization — SuperAGI 6.3 Medium2026-04-19
CVE-2026-6585 TransformerOptimus SuperAGI Organisation Update Endpoint organisation.py update_organisation authorization — SuperAGI 5.4 Medium2026-04-19
CVE-2026-6584 TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization — SuperAGI 5.4 Medium2026-04-19
CVE-2026-6583 TransformerOptimus SuperAGI API Key Management Endpoint api_key.py edit_api_key authorization — SuperAGI 5.4 Medium2026-04-19

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1038 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.