Total
1566 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50849 | 1 Cs-cart | 1 Cs-cart | 2026-04-15 | 8 High |
| CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers. | ||||
| CVE-2024-32604 | 1 Wordpress | 1 Adserve | 2026-04-15 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5. | ||||
| CVE-2025-13124 | 1 Netiket | 1 Applylogic | 2026-04-15 | 7.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025. | ||||
| CVE-2019-25235 | 1 Smartwares | 1 Home Easy | 2026-04-15 | 9.8 Critical |
| Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information. | ||||
| CVE-2024-33818 | 1 Globitel | 1 Speechlog | 2026-04-15 | 7.5 High |
| Globitel KSA SpeechLog v8.1 was discovered to contain an Insecure Direct Object Reference (IDOR) via the userID parameter. | ||||
| CVE-2025-10024 | 1 Exert | 1 Education Management System | 2026-04-15 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection.This issue affects Education Management System: through 23.09.2025. | ||||
| CVE-2025-14742 | 2 Brechtvds, Wordpress | 2 Wp Recipe Maker, Wordpress | 2026-04-15 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access. | ||||
| CVE-2025-26965 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16. | ||||
| CVE-2025-12351 | 1 Honeywell | 1 S35 Camera | 2026-04-15 | 6.8 Medium |
| Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26). | ||||
| CVE-2025-10719 | 1 Wisdomgarden | 1 Tronclass | 2026-04-15 | 4.3 Medium |
| Tronclass developed by WisdomGarden has an Insecure Direct object Reference vulnerability, allowing remote attackers with regular privilege to modify a specific parameter to access other users' files. | ||||
| CVE-2025-0337 | 2026-04-15 | 6.5 Medium | ||
| ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access. This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners. | ||||
| CVE-2024-45032 | 1 Siemens | 2 Industrial Edge Management Pro, Industrial Edge Management Virtual | 2026-04-15 | 10 Critical |
| A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validate the device tokens. This could allow an unauthenticated remote attacker to impersonate other devices onboarded to the system. | ||||
| CVE-2023-32189 | 2026-04-15 | 5.9 Medium | ||
| Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys | ||||
| CVE-2025-7899 | 2026-04-15 | N/A | ||
| The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 | ||||
| CVE-2020-37008 | 1 Elektraweb | 1 Easypms | 2026-04-15 | 7.5 High |
| EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. | ||||
| CVE-2024-38827 | 2026-04-15 | 4.8 Medium | ||
| The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. | ||||
| CVE-2025-12071 | 2 Absikandar, Wordpress | 2 Frontend User Notes, Wordpress | 2026-04-15 | 4.3 Medium |
| The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them. | ||||
| CVE-2025-8057 | 1 Patika Global Technologies | 1 Humansuite | 2026-04-15 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client.This issue affects HumanSuite: before 53.21.0. | ||||
| CVE-2024-12309 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts. | ||||
| CVE-2026-1271 | 2 Metagauss, Wordpress | 2 Profilegrid, Wordpress | 2026-04-15 | 5.3 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. | ||||