Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-4160 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification — Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.3 Medium2026-04-16
CVE-2026-40784 WordPress FluentBoards plugin <= 1.91.2 - Insecure Direct Object References (IDOR) vulnerability — FluentBoards 9.1 -2026-04-15
CVE-2026-40737 WordPress COMPE plugin <= 1.1.4 - Insecure Direct Object References (IDOR) vulnerability — COMPE 8.1 -2026-04-15
CVE-2026-5617 Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie — Login as User – Switch User & WooCommerce Login as Customer 8.8 High2026-04-15
CVE-2026-1541 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference — Avada (Fusion) Builder 4.3 Medium2026-04-15
CVE-2026-34213 Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation — docmost 5.4 Medium2026-04-14
CVE-2026-34602 Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses — chamilo-lms 7.1 High2026-04-14
CVE-2025-13822 Authentication bypass in MCPHub — MCPHub 8.8 -2026-04-14
CVE-2026-25654 Siemens SINEC NMS 安全漏洞 — SINEC NMS 8.8 High2026-04-14
CVE-2026-33740 EspoCRM: Email importEml can import and delete another user's attachment by raw fileId — espocrm 5.4 Medium2026-04-13
CVE-2026-40043 Pachno 1.0.6 Authentication Bypass via runSwitchUser() — Pachno 6.5 Medium2026-04-13
CVE-2026-3371 Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification — Tutor LMS – eLearning and online course solution 4.3 Medium2026-04-11
CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure — chamilo-lms 6.5 Medium2026-04-10
CVE-2026-33703 Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens — chamilo-lms 8.1 -2026-04-10
CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR) — chamilo-lms 7.1 High2026-04-10
CVE-2026-33141 Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data — chamilo-lms 6.5 Medium2026-04-10
CVE-2026-32930 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check — chamilo-lms 7.1 High2026-04-10
CVE-2026-29002 CouchCMS Privilege Escalation via f_k_levels_list Parameter — CouchCMS 7.2 High2026-04-10
CVE-2026-5842 decolua 9router Administrative API Endpoint api authorization — 9router 7.3 High2026-04-09
CVE-2026-3568 MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update — MStore API – Create Native Android & iOS Apps On The Cloud 4.3 Medium2026-04-09
CVE-2026-2104 Authorization Bypass Through User-Controlled Key in GitLab — GitLab 4.3 Medium2026-04-08
CVE-2026-35478 InvenTree has Arbitrary API Token Creation — InvenTree 8.3 High2026-04-08
CVE-2026-35165 LORIS has incorrect access checks in document_repository — Loris 6.3 Medium2026-04-08
CVE-2026-34985 LORIS has incorrect access checks in media module — Loris 6.3 Medium2026-04-08
CVE-2026-32589 Mirror-registry: quay: insecure direct object reference in blobupload — mirror registry for Red Hat OpenShift 7.1 High2026-04-08
CVE-2026-35023 Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php — Wimi Teamwork 4.3 Medium2026-04-08
CVE-2026-39616 WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability — Download Attachments 9.1AICriticalAI2026-04-08
CVE-2026-39526 WordPress WpStream plugin < 4.11.2 - Insecure Direct Object References (IDOR) vulnerability — WpStream 6.5AIMediumAI2026-04-08
CVE-2026-39510 WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability — Image Photo Gallery Final Tiles Grid 9.1AICriticalAI2026-04-08
CVE-2026-4330 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter — Blog2Social: Social Media Auto Post & Scheduler 4.3 Medium2026-04-08

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.