VYPR

CWE-639

Authorization Bypass Through User-Controlled Key

BaseIncompleteLikelihood: High

Description

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (1,068)

page 19 of 54
  • CVE-2023-47191MedDec 21, 2023
    risk 0.42cvss 6.5epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for…

  • CVE-2023-32799MedDec 21, 2023
    risk 0.42cvss 6.5epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.

  • CVE-2023-2173MedAug 31, 2023
    risk 0.42cvss 6.5epss 0.00

    The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler,…

  • CVE-2023-32078HigAug 24, 2023
    risk 0.42cvss 7.5epss 0.01

    Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is…

  • CVE-2023-0694MedJun 9, 2023
    risk 0.42cvss 6.5epss 0.01

    The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about…

  • CVE-2023-0693MedJun 9, 2023
    risk 0.42cvss 6.5epss 0.01

    The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive…

  • CVE-2023-0688MedJun 9, 2023
    risk 0.42cvss 6.5epss 0.01

    The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive…

  • CVE-2026-40792MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.00

    Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.

  • CVE-2026-11461MedJun 7, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to…

  • CVE-2026-10212MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The…

  • CVE-2026-8786MedMay 18, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to…

  • CVE-2026-7782MedMay 4, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be…

  • CVE-2026-6614MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The…

  • CVE-2026-6613MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to authorization bypass. The attack is…

  • CVE-2026-6612MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This impacts the function get_agent_execution/update_agent_execution of the file superagi/controllers/agent_execution.py of the component Agent Execution Endpoint. Executing a manipulation of the…

  • CVE-2026-6586MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch…

  • CVE-2026-6571MedApr 19, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in kodcloud KodExplorer up to 4.52. Affected by this vulnerability is the function roleGroupAction of the file /app/controller/systemRole.class.php. Executing a manipulation of the argument group_role can lead to authorization bypass. The attack…

  • CVE-2026-4171MedMar 16, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the…

  • CVE-2026-2697MedFeb 23, 2026
    risk 0.41cvss 6.3epss 0.00

    An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

  • CVE-2025-13004MedFeb 12, 2026
    risk 0.41cvss 6.3epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables. This issue affects E-Commerce Package: through 27112025.