Unrated severityOSV Advisory· Published Dec 17, 2025· Updated Apr 7, 2026

ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability

CVE-2023-53930

Description

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php.

Affected products

Projectsend/ProjectsendOSV
Range: Stable, r1053, r1070, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/51400mitreexploit
www.vulncheck.com/advisories/projectsend-insecure-direct-object-reference-file-download-vulnerabilitymitrethird-party-advisory
www.projectsend.orgmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000