Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1040

1040 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-27898 Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher — vaultwarden 5.4 Medium2026-03-04
CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration — cms 8.1AIHighAI2026-03-04
CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action — cms 6.5AIMediumAI2026-03-04
CVE-2026-28781 Craft Affected by Entries Authorship Spoofing via Mass Assignment — cms 8.1AIHighAI2026-03-04
CVE-2026-28696 Craft affected by IDOR via GraphQL @parseRefs — cms 5.3AIMediumAI2026-03-04
CVE-2026-28361 NocoDB: Missing Ownership Validation in MCP Token Operations — nocodb 8.3AIHighAI2026-03-02
CVE-2025-58402 Insecure Direct Object Reference Message ID — CGM CLININET 7.5AIHighAI2026-03-02
CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials — seerr 6.5 Medium2026-02-27
CVE-2026-28354 ClipBucket v5 has IDOR in Collection Item Management — clipbucket-v5 4.3 -2026-02-27
CVE-2026-25147 OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid — openemr 7.1 High2026-02-27
CVE-2026-1558 WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter — WP Recipe Maker 5.3 Medium2026-02-27
CVE-2026-28225 Manyfold has IDOR in ModelFilesController — manyfold 5.3 Medium2026-02-26
CVE-2026-28216 hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment — hoppscotch 8.3 High2026-02-26
CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup — wger 4.3 Medium2026-02-26
CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data — wger 3.1 Low2026-02-26
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data — wger 4.3 Medium2026-02-26
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint — discourse 7.5 High2026-02-26
CVE-2026-27943 OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership — openemr 6.5 Medium2026-02-26
CVE-2026-25930 OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms — openemr 6.5 Medium2026-02-25
CVE-2026-25929 OpenEMR Patient Picture Context Allows Arbitrary Patient Photo Retrieval — openemr 6.5 Medium2026-02-25
CVE-2026-25927 OpenEMR Missing Authorization Checks in DICOM Viewer State API — openemr 7.1 High2026-02-25
CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins — openemr 4.3AIMediumAI2026-02-25
CVE-2026-27705 Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch — plane 6.5AIMediumAI2026-02-25
CVE-2026-3185 feiyuchuixue sz-boot-parent API Endpoint sys-message authorization — sz-boot-parent 5.3 Medium2026-02-25
CVE-2025-14742 WP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure — WP Recipe Maker 4.3 Medium2026-02-25
CVE-2026-2698 Improper Access Control — Security Center 6.5 Medium2026-02-23
CVE-2026-2697 Indirect Object Reference (IDOR) in Security Center — Security Center 6.3 Medium2026-02-23
CVE-2026-2997 WisdomGarden|Tronclass - Insecure Direct Object Reference — Tronclass 5.4 Medium2026-02-23
CVE-2025-15582 detronetdip E-commerce Product Management Update authorization — E-commerce 5.4 Medium2026-02-20
CVE-2026-24950 WordPress Authorsy plugin <= 1.0.6 - Insecure Direct Object References (IDOR) vulnerability — Authorsy 7.5 High2026-02-20

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1040 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.