Weaknesses of type CWE-639
1,597 resultsCVE-2026-46407HIGHVvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokensEPSS 0.2%CVE-2026-3073MEDIUMAuthorization Bypass Through User-Controlled Key in GitLabEPSS 0.2%CVE-2026-9228MEDIUMTimetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data FunctionEPSS 0.2%CVE-2026-30843CRITICALWekan has Cross-Board IDOR in Custom Fields Update EndpointsEPSS 0.2%CVE-2025-68071MEDIUMWordPress Essential Real Estate plugin <= 5.3.2 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2025-68492LOWChainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploitEPSS 0.2%CVE-2026-6613MEDIUMTransformerOptimus SuperAGI agent.py get_schedule_data authorizationEPSS 0.2%CVE-2026-25744MEDIUMOpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary VitalsEPSS 0.2%CVE-2026-6614MEDIUMTransformerOptimus SuperAGI project.py get_projects_organisation authorizationEPSS 0.2%CVE-2026-49141MEDIUMWACRM Authorization Bypass via Automation Engine EndpointEPSS 0.2%CVE-2025-62180HIGHPega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.EPSS 0.2%CVE-2026-7144MEDIUM1000 Projects Portfolio Management System MCA update_passwd_process.php authorizationEPSS 0.2%CVE-2025-13452MEDIUMAdmin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order MessagesEPSS 0.2%CVE-2025-58402HIGHInsecure Direct Object Reference Message IDEPSS 0.2%CVE-2026-1291MEDIUMMeow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creationEPSS 0.2%CVE-2026-39331HIGHChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary FamiliesEPSS 0.2%CVE-2026-49355MEDIUMOpenProject: Private work package data disclosure through single meeting agenda item APIEPSS 0.2%CVE-2025-65647MEDIUMInsecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure vEPSS 0.2%CVE-2026-40590MEDIUMFreeScout's Customer AJAX Create Modifies Hidden Existing CustomerEPSS 0.2%CVE-2026-33764MEDIUMAVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and TranscriptionsEPSS 0.2%