Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-639 (通过用户控制密钥绕过授权机制) — Vulnerability Class 1038

1038 vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2025-68051 WordPress Shiprocket plugin <= 2.0.8 - Insecure Direct Object References (IDOR) vulnerability — Shiprocket 7.5 High2026-02-20
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization — panel 8.1 -2026-02-19
CVE-2025-9062 IDOR in MeCODE Informatics' Envanty — Envanty 7.3 High2026-02-19
CVE-2026-1219 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure — MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 Medium2026-02-19
CVE-2026-25324 WordPress Quiz And Survey Master plugin <= 10.3.4 - Insecure Direct Object References (IDOR) vulnerability — Quiz And Survey Master 9.1AICriticalAI2026-02-19
CVE-2026-25005 WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability — Frontend File Manager 9.1AICriticalAI2026-02-19
CVE-2025-13842 Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure — Breadcrumb NavXT 5.3 Medium2026-02-19
CVE-2026-25120 Gogs Allows Cross-Repository Comment Deletion via DeleteComment — gogs 4.9 -2026-02-19
CVE-2026-2230 Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification — Booking Calendar 4.3 Medium2026-02-18
CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface — Graylog Web Interface 6.5 -2026-02-18
CVE-2025-12071 Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification — Frontend User Notes 4.3 Medium2026-02-18
CVE-2026-1987 Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification — Scheduler Widget 5.4 Medium2026-02-14
CVE-2026-1619 IDOR in Universal Sotware's FlexCity/Kiosk — FlexCity/Kiosk 8.3 High2026-02-13
CVE-2025-13004 IDOR in Farktor Software's E-Commerce Package — E-Commerce Package 6.3 Medium2026-02-12
CVE-2025-14594 Authorization Bypass Through User-Controlled Key in GitLab — GitLab 3.5 Low2026-02-11
CVE-2026-1080 Authorization Bypass Through User-Controlled Key in GitLab — GitLab 4.3 Medium2026-02-11
CVE-2025-15096 Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover — Videospirecore Theme Plugin 8.8 High2026-02-11
CVE-2025-10912 IDOR in saastech.io's TemizlikYolda — TemizlikYolda 5.4 Medium2026-02-11
CVE-2026-25530 Kanboard is missing authorization check in getSwimlane API allows cross-project data access — kanboard 4.3 Medium2026-02-10
CVE-2025-7347 IDOR in Dinibh Puzzle's Dinibh Patrol Tracking System — Dinibh Patrol Tracking System 8.8 High2026-02-10
CVE-2025-12063 Axis Camera Station Pro 安全漏洞 — AXIS Camera Station Pro 5.7 Medium2026-02-10
CVE-2025-15147 WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment — WCFM Membership – WooCommerce Memberships for Multivendor Marketplace 4.3 Medium2026-02-09
CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation — cms 8.8AIHighAI2026-02-09
CVE-2026-24900 MarkUs has a submission-view IDOR exposes all student submissions — Markus 6.5 Medium2026-02-09
CVE-2026-25567 WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId — WeKan 6.5AIMediumAI2026-02-07
CVE-2026-25564 WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation — WeKan 6.5AIMediumAI2026-02-07
CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR — WeKan 6.5AIMediumAI2026-02-07
CVE-2026-25757 Unauthenticated Spree Commerce users can view completed guest orders by Order ID — spree 5.3AIMediumAI2026-02-06
CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses — spree 6.5AIMediumAI2026-02-06
CVE-2026-25574 Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments) — payload 5.4 Medium2026-02-06

Vulnerabilities classified as CWE-639 (通过用户控制密钥绕过授权机制) represent 1038 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.