Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1033

1033 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-28354 ClipBucket v5 has IDOR in Collection Item Management — clipbucket-v5 4.3 -2026-02-27
CVE-2026-25147 OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid — openemr 7.1 High2026-02-27
CVE-2026-1558 WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter — WP Recipe Maker 5.3 Medium2026-02-27
CVE-2026-28225 Manyfold has IDOR in ModelFilesController — manyfold 5.3 Medium2026-02-26
CVE-2026-28216 hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment — hoppscotch 8.3 High2026-02-26
CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup — wger 4.3 Medium2026-02-26
CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data — wger 3.1 Low2026-02-26
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data — wger 4.3 Medium2026-02-26
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint — discourse 7.5 High2026-02-26
CVE-2026-27943 OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership — openemr 6.5 Medium2026-02-26
CVE-2026-25930 OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms — openemr 6.5 Medium2026-02-25
CVE-2026-25929 OpenEMR Patient Picture Context Allows Arbitrary Patient Photo Retrieval — openemr 6.5 Medium2026-02-25
CVE-2026-25927 OpenEMR Missing Authorization Checks in DICOM Viewer State API — openemr 7.1 High2026-02-25
CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins — openemr 4.3AIMediumAI2026-02-25
CVE-2026-27705 Plane Vulnerable to Cross-Workspace/Cross-Project Asset Modification via IDOR in ProjectAssetEndpoint.patch — plane 6.5AIMediumAI2026-02-25
CVE-2026-3185 feiyuchuixue sz-boot-parent API Endpoint sys-message authorization — sz-boot-parent 5.3 Medium2026-02-25
CVE-2025-14742 WP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure — WP Recipe Maker 4.3 Medium2026-02-25
CVE-2026-2698 Improper Access Control — Security Center 6.5 Medium2026-02-23
CVE-2026-2697 Indirect Object Reference (IDOR) in Security Center — Security Center 6.3 Medium2026-02-23
CVE-2026-2997 WisdomGarden|Tronclass - Insecure Direct Object Reference — Tronclass 5.4 Medium2026-02-23
CVE-2025-15582 detronetdip E-commerce Product Management Update authorization — E-commerce 5.4 Medium2026-02-20
CVE-2026-24950 WordPress Authorsy plugin <= 1.0.6 - Insecure Direct Object References (IDOR) vulnerability — Authorsy 6.5AIMediumAI2026-02-20
CVE-2026-22383 WordPress PawFriends - Pet Shop and Veterinary WordPress theme theme <= 1.3 - Insecure Direct Object References (IDOR) vulnerability — PawFriends - Pet Shop and Veterinary WordPress Theme 7.5 High2026-02-20
CVE-2025-69394 WordPress Cnvrse plugin < 026.02.10.20 - Insecure Direct Object References (IDOR) vulnerability — Cnvrse 7.5 High2026-02-20
CVE-2025-68514 WordPress Paid Member Subscriptions plugin <= 2.16.8 - Insecure Direct Object References (IDOR) vulnerability — Paid Member Subscriptions 8.1AIHighAI2026-02-20
CVE-2025-68051 WordPress Shiprocket plugin <= 2.0.8 - Insecure Direct Object References (IDOR) vulnerability — Shiprocket 7.5 High2026-02-20
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization — panel 8.1 -2026-02-19
CVE-2025-9062 IDOR in MeCODE Informatics' Envanty — Envanty 7.3 High2026-02-19
CVE-2026-1219 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure — MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 Medium2026-02-19
CVE-2026-25324 WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability — Quiz And Survey Master 9.1AICriticalAI2026-02-19

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1033 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.