Weaknesses of type CWE-639
1,597 resultsCVE-2026-30825NONEhoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access TokenEPSS 0.2%CVE-2026-58447HIGHInvidious - Cross-User Playlist Video Deletion via Missing Ownership CheckEPSS 0.2%CVE-2026-54009MEDIUMOpen WebUI: Cross-user file disclosure via /api/chat/completions image_url fieldEPSS 0.2%CVE-2026-35489HIGHTandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`EPSS 0.2%CVE-2025-65028MEDIUMRallly Has an IDOR Vulnerability in Vote Update Endpoint Allows Unauthorized Manipulation of Participant VotesEPSS 0.2%CVE-2025-65032MEDIUMRallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification of Other Users’ NamesEPSS 0.2%CVE-2026-26078HIGHDiscourse has authentication bypass vulnerability in the Patreon plugin webhook endpointEPSS 0.2%CVE-2025-13109MEDIUMHUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'EPSS 0.2%CVE-2025-0640MEDIUMIDOR in Akinsoft's OctoCloudEPSS 0.2%CVE-2026-57498CRITICALCoolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' ServersEPSS 0.2%CVE-2025-0670MEDIUMIDOR in Akinsoft's ProKuaforEPSS 0.2%CVE-2026-10154MEDIUMDolibarr ERP CRM messaging.php authorizationEPSS 0.2%CVE-2025-14742MEDIUMWP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information ExposureEPSS 0.2%CVE-2026-30857MEDIUMWeKnora: Unauthorized Cross‑Tenant Knowledge Base CloningEPSS 0.2%CVE-2025-55621MEDIUMAn Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download EPSS 0.2%CVE-2026-38587MEDIUMAn Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple RESEPSS 0.2%CVE-2025-49352MEDIUMWordPress Order Cancellation & Returns for WooCommerce plugin <= 1.1.10 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2026-56229HIGHCapgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logsEPSS 0.2%CVE-2026-28433LOWMisskey lacks resource ownership validationEPSS 0.2%CVE-2025-65031MEDIUMRallly Improper Authorization in Comment Endpoint Allows User ImpersonationEPSS 0.2%