VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 14 of 54
  • CVE-2026-42517HigApr 29, 2026
    risk 0.46cvss epss 0.00

    This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for protecting sensitive data. An authenticated attacker could exploit this vulnerability by decoding and manipulating Base64-encoded parameters in the request URL to gain unauthorized access to…

  • CVE-2026-42516HigApr 29, 2026
    risk 0.46cvss epss 0.00

    This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted…

  • CVE-2026-42515HigApr 29, 2026
    risk 0.46cvss epss 0.00

    This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on…

  • CVE-2026-28747HigApr 27, 2026
    risk 0.46cvss 7.1epss 0.00

    A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.

  • CVE-2026-40867HigApr 21, 2026
    risk 0.46cvss epss 0.00

    Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose…

  • CVE-2026-40865HigApr 21, 2026
    risk 0.46cvss epss 0.00

    Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This…

  • CVE-2026-40252HigApr 10, 2026
    risk 0.46cvss 8.1epss 0.00

    FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token,…

  • CVE-2026-39331HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords…

  • CVE-2026-35183HigApr 6, 2026
    risk 0.46cvss 7.1epss 0.00

    Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a…

  • CVE-2026-35045HigApr 6, 2026
    risk 0.46cvss 8.1epss 0.00

    Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes…

  • CVE-2026-3453HigMar 11, 2026
    risk 0.46cvss 8.1epss 0.00

    The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout…

  • CVE-2026-1375HigFeb 3, 2026
    risk 0.46cvss 8.1epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`,…

  • CVE-2026-23843HigJan 19, 2026
    risk 0.46cvss 7.1epss 0.00

    teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality.…

  • CVE-2025-14101HigDec 17, 2025
    risk 0.46cvss 7.1epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers. This issue affects PaperWork: from 5.2.0.9427 before 6.0.

  • CVE-2025-4040HigJul 21, 2025
    risk 0.46cvss 7.1epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation. This issue affects Automatic Station Monitoring System: before 5.0.6.51.

  • CVE-2025-3519HigApr 22, 2025
    risk 0.46cvss epss 0.00

    An authorization bypass in Unblu Spark allows a participant of a conversation to replace an existing, uploaded file. Every uploaded file in Unblu gets assigned with a randomly generated Universally Unique ID (UUID). In case a participant of this or another conversation gets…

  • CVE-2023-0550HigJan 27, 2023
    risk 0.46cvss 8.1epss 0.01

    The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action…

  • CVE-2018-16606MedSep 6, 2018
    risk 0.46cvss 6.5epss 0.06

    In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter).

  • CVE-2015-0266HigApr 11, 2016
    risk 0.46cvss 7.1epss 0.02

    The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.

  • CVE-2026-46721MedMay 19, 2026
    risk 0.45cvss epss 0.00

    The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining…