Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints — SuiteCRM 8.1 High2026-03-19
CVE-2026-32039 OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender — OpenClaw 5.9 Medium2026-03-19
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log — openemr 6.5 Medium2026-03-19
CVE-2026-25744 OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals — openemr 6.5 Medium2026-03-19
CVE-2026-32867 OPEXUS eComplaint unauthenticated file upload — eComplaint 5.4 Medium2026-03-19
CVE-2025-32223 WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability — Tutor LMS 8.1 -2026-03-19
CVE-2026-27397 WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability — Really Simple Security Pro 6.5 Medium2026-03-19
CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens — studiocms 2.7 Low2026-03-18
CVE-2026-25745 OpenEMR's Message Update Ignores Patient id — openemr 6.5 Medium2026-03-18
CVE-2026-30884 mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key — moodle-mod_customcert 9.6 Critical2026-03-18
CVE-2026-26004 Sentry allows unauthorized access to event data across organizational boundaries — sentry 4.3 -2026-03-17
CVE-2026-24901 Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts — outline 8.1 High2026-03-17
CVE-2026-4208 Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) — Extension "E-Mail MFA Provider" 8.1AIHighAI2026-03-17
CVE-2026-2461 Missing authorization check allows unauthorized modification of other users' comments on a board — Mattermost 4.3 Medium2026-03-16
CVE-2026-3020 Identity based authorization bypass vulnerability (IDOR) in the Wakyma application web — Wakyma application web 9.8AICriticalAI2026-03-16
CVE-2017-20223 Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference — SDT-CS3B1 9.8 Critical2026-03-16
CVE-2016-20033 Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe — Wowza Streaming Engine 7.8 High2026-03-15
CVE-2026-4171 CodeGenieApp serverless-express API Endpoint TodoList.ts authorization — serverless-express 6.3 Medium2026-03-15
CVE-2026-1883 Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion — Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types 4.3 Medium2026-03-15
CVE-2026-1947 NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id — NEX-Forms – Ultimate Forms Plugin for WordPress 7.5 High2026-03-15
CVE-2026-3999 Broken access control vulnerability affecting ID Server — ID Server 8.8 -2026-03-13
CVE-2026-2879 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion — GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 5.4 Medium2026-03-13
CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter — Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder 5.3 Medium2026-03-13
CVE-2026-2257 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API — GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 6.4 Medium2026-03-13
CVE-2026-1704 Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure — Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 4.3 Medium2026-03-13
CVE-2026-2366 Keycloak: keycloak: information disclosure via authorization bypass in admin api — Red Hat build of Keycloak 26.4 3.1 Low2026-03-12
CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API — zitadel 7.7 High2026-03-11
CVE-2026-32104 StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings — studiocms 5.4 Medium2026-03-11
CVE-2026-32103 StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation — studiocms 6.8 Medium2026-03-11
CVE-2026-32097 PingPong has improper access control in thread file endpoints allows access outside intended scope — pingpong 8.1AIHighAI2026-03-11

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.