Weaknesses of type CWE-639
1,581 resultsCVE-2025-49352MEDIUMWordPress Order Cancellation & Returns for WooCommerce plugin <= 1.1.10 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2026-56385MEDIUMCraft CMS - Authorization Bypass in assets/preview-file EndpointEPSS 0.2%CVE-2026-56229HIGHCapgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logsEPSS 0.2%CVE-2026-38587MEDIUMAn Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple RESEPSS 0.2%CVE-2025-65031MEDIUMRallly Improper Authorization in Comment Endpoint Allows User ImpersonationEPSS 0.2%CVE-2026-28433LOWMisskey lacks resource ownership validationEPSS 0.2%CVE-2026-28736MEDIUMFocalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)EPSS 0.2%CVE-2026-13512MEDIUMDatabend Tenant client_session_manager.rs state_key authorizationEPSS 0.2%CVE-2025-15626MEDIUMAuthenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS applicationEPSS 0.2%CVE-2025-57886MEDIUMWordPress Accessibility Checker by Equalize Digital Plugin <= 1.30.0 - Insecure Direct Object References (IDOR) VulnerabilityEPSS 0.2%CVE-2026-25147HIGHOpenEMR's Portal Payment Endpoint Trusts User-Controlled pidEPSS 0.2%CVE-2026-23487MEDIUMBlinko: IDOR - user.detail Endpoint Leaks Superadmin TokenEPSS 0.2%CVE-2025-11176MEDIUMQuick Featured Images <= 13.7.2 - Insecure Direct Object Reference to Image ManipulationEPSS 0.2%CVE-2025-13932HIGHThe SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any auEPSS 0.2%CVE-2026-47713LOWAnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migrationEPSS 0.2%CVE-2026-27397MEDIUMWordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2026-9712LOWInsecure direct object referenceEPSS 0.2%CVE-2026-6008MEDIUMIDOR in Im Park's DijiDemiEPSS 0.2%CVE-2026-1881MEDIUMBroadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_metaEPSS 0.2%CVE-2026-5396HIGHFluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' ParameterEPSS 0.2%