Total
1235 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41077 | 1 Viafirma | 1 Inbox | 2026-01-29 | N/A | 8.1 HIGH |
| IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. | |||||
| CVE-2025-1270 | 1 Anapi | 1 H6web | 2026-01-29 | N/A | 9.1 CRITICAL |
| Insecure direct object reference (IDOR) vulnerability in Anapi Group's h6web, allows an authenticated attacker to access other users' information by making a POST request and modifying the “pkrelated” parameter in the “/h6web/ha_datos_hermano.php” endpoint to refer to another user. In addition, the first request could also allow the attacker to impersonate other users. As a result, all requests made after exploitation of the IDOR vulnerability will be executed with the privileges of the impersonated user. | |||||
| CVE-2024-4464 | 1 Synology | 1 Media Server | 2026-01-29 | N/A | 7.5 HIGH |
| Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. | |||||
| CVE-2026-1201 | 2026-01-29 | N/A | N/A | ||
| An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | |||||
| CVE-2020-37008 | 2026-01-29 | N/A | 7.5 HIGH | ||
| EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. | |||||
| CVE-2026-1389 | 2026-01-29 | N/A | 5.3 MEDIUM | ||
| The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter. | |||||
| CVE-2026-24134 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue. | |||||
| CVE-2025-7013 | 2026-01-29 | N/A | 5.7 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-69032 | 1 Qodeinteractive | 1 Fivestar | 2026-01-29 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7. | |||||
| CVE-2025-69030 | 1 Qodeinteractive | 1 Backpack Traveler | 2026-01-29 | N/A | 5.4 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3. | |||||
| CVE-2020-16194 | 1 Store-opart | 1 Op\'art Devis | 2026-01-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| An Insecure Direct Object Reference (IDOR) vulnerability was found in Prestashop Opart devis < 4.0.2. Unauthenticated attackers can have access to any user's invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields. | |||||
| CVE-2026-22411 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dolcino: from n/a through <= 1.6. | |||||
| CVE-2026-22409 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2. | |||||
| CVE-2026-22407 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through <= 2.1.1. | |||||
| CVE-2026-22406 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through <= 1.3. | |||||
| CVE-2026-22391 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through <= 1.5.1. | |||||
| CVE-2026-22404 | 2026-01-27 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7. | |||||
| CVE-2026-1213 | 2026-01-27 | N/A | N/A | ||
| All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2. | |||||
| CVE-2025-9520 | 2026-01-27 | N/A | N/A | ||
| An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | |||||
| CVE-2025-14459 | 2026-01-27 | N/A | 8.5 HIGH | ||
| A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | |||||