Weaknesses of type CWE-639
1,553 resultsCVE-2024-36399HIGHKanboard affected by Project Takeover via IDOR in ProjectPermissionControllerEPSS 0.4%CVE-2025-13822MEDIUMAuthentication bypass in MCPHubEPSS 0.4%CVE-2026-33158MEDIUMCraft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)EPSS 0.4%CVE-2026-46721MEDIUMBroken Access Control in extension "Frontend User Registration" (sf_register)EPSS 0.4%CVE-2026-24773HIGHOpen eClass Unauthenticated IDOR Allows Access to Arbitrary User FilesEPSS 0.4%CVE-2026-46764MEDIUMApache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filterEPSS 0.4%CVE-2026-6206MEDIUMMW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query ParameterEPSS 0.4%CVE-2026-4896HIGHWCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product ManipulationEPSS 0.4%CVE-2025-34437HIGHAVideo < 20.1 IDOR Arbitrary Comment Image UploadEPSS 0.4%CVE-2026-38532HIGHA Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authentiEPSS 0.4%CVE-2026-33931MEDIUMOpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record AccessEPSS 0.4%CVE-2026-38530HIGHA Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticEPSS 0.4%CVE-2026-2888MEDIUMFormidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' ParameterEPSS 0.4%CVE-2026-44400HIGHMailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdminEPSS 0.4%CVE-2026-7651MEDIUMUser Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' ParameterEPSS 0.4%CVE-2026-41471HIGHEasy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code EndpointEPSS 0.3%CVE-2023-6504MEDIUMProfile Builder <= 3.10.7 - Insecure Direct Object Reference to Sensitive Information Exposure via user_meta ShortcodeEPSS 0.3%CVE-2023-3288HIGHA BOLA vulnerability in POST /providers in EasyAppointments < 1.5.0EPSS 0.3%CVE-2025-7938MEDIUMjerryshensjf JPACookieShop 蛋糕商城JPA版 GoodsController.java updateGoods authorizationEPSS 0.3%CVE-2025-22608MEDIUMCoolify Vulnerable to Revocation of Arbitrary Team Invitations (DOS)EPSS 0.3%