Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1038

1038 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-2366 Keycloak: keycloak: information disclosure via authorization bypass in admin api — Red Hat build of Keycloak 26.4 3.1 Low2026-03-12
CVE-2026-32131 ZITADEL Cross-Tenant Information Disclosure in Management API — zitadel 7.7 High2026-03-11
CVE-2026-32104 StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings — studiocms 5.4 Medium2026-03-11
CVE-2026-32103 StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation — studiocms 6.8 Medium2026-03-11
CVE-2026-32097 PingPong has improper access control in thread file endpoints allows access outside intended scope — pingpong 8.1AIHighAI2026-03-11
CVE-2019-25487 SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd — RB-1732 9.8 Critical2026-03-11
CVE-2026-31867 Craft Commerce has a Potential IDOR in Commerce carts — commerce 8.1AIHighAI2026-03-11
CVE-2026-1992 ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation — ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) 8.8 High2026-03-11
CVE-2026-2917 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter — Happy Addons for Elementor 5.4 Medium2026-03-11
CVE-2026-2918 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions — Happy Addons for Elementor 6.4 Medium2026-03-11
CVE-2026-3453 ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration — Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress 8.1 High2026-03-11
CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data — Umbraco-CMS 5.4 Medium2026-03-10
CVE-2026-31820 Sylius affected by IDOR in Cart and Checkout LiveComponents — Sylius 8.1AIHighAI2026-03-10
CVE-2026-30954 LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy() — LinkAce 4.3AIMediumAI2026-03-10
CVE-2026-3306 Improper authorization in GitHub Projects allows modification of issue and pull request metadata without repository write access — Enterprise Server 4.3AIMediumAI2026-03-10
CVE-2026-30969 Coral Server has insufficient agent authentication in session communication channels — coral-server 9.1AICriticalAI2026-03-10
CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service — studiocms 7.1 High2026-03-10
CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation — studiocms 8.8 High2026-03-10
CVE-2026-30927 Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter — admidio 5.4AIMediumAI2026-03-09
CVE-2026-28433 Misskey lacks resource ownership validation — misskey 7.1AIHighAI2026-03-09
CVE-2026-30857 WeKnora: Unauthorized Cross‑Tenant Knowledge Base Cloning — WeKnora 5.3 Medium2026-03-07
CVE-2026-30825 hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token — hoppscotch--2026-03-07
CVE-2026-30823 Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration — Flowise 8.1 -2026-03-07
CVE-2026-30231 Flare: Private File IDOR via raw/direct endpoints — Flare 6.5 -2026-03-06
CVE-2026-30230 Flare: Password‑Protected Thumbnail Bypass — Flare 7.5 -2026-03-06
CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints — Wekan 6.5 -2026-03-06
CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity — OpenClaw 7.5 High2026-03-05
CVE-2026-27898 Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher — vaultwarden 5.4 Medium2026-03-04
CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration — cms 8.1AIHighAI2026-03-04
CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action — cms 6.5AIMediumAI2026-03-04

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1038 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.