Total
1318 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2230 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Calendar | 2026-02-19 | 4.3 Medium |
| The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user. | ||||
| CVE-2026-1987 | 2 Morelmathieuj, Wordpress | 2 Scheduler Widget, Wordpress | 2026-02-18 | 5.4 Medium |
| The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID. | ||||
| CVE-2025-12071 | 2 Absikandar, Wordpress | 2 Frontend User Notes, Wordpress | 2026-02-18 | 4.3 Medium |
| The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them. | ||||
| CVE-2025-69752 | 1 Ideagen | 1 Q-pulse | 2026-02-18 | 4.3 Medium |
| An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL. | ||||
| CVE-2026-22235 | 2 Opexus, Opexustech | 2 Ecomplaint, Ecase Ecomplaint | 2026-02-18 | 7.5 High |
| OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | ||||
| CVE-2026-22234 | 2 Opexus, Opexustech | 2 Ecase Portal, Ecase Portal | 2026-02-18 | 9.8 Critical |
| OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | ||||
| CVE-2025-63065 | 2 Davidlingren, Wordpress | 2 Media Library Assistant, Wordpress | 2026-02-17 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media LIbrary Assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media LIbrary Assistant: from n/a through 3.29. | ||||
| CVE-2025-61950 | 1 Groupsession | 3 Groupsession, Groupsession Bycloud, Groupsession Zion | 2026-02-17 | N/A |
| In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. | ||||
| CVE-2025-12063 | 2 Axis, Axis Communications Ab | 2 Camera Station Pro, Axis Camera Station Pro | 2026-02-17 | 5.7 Medium |
| An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. | ||||
| CVE-2026-2366 | 1 Keycloak | 1 Keycloak | 2026-02-16 | 3.1 Low |
| No description is available for this CVE. | ||||
| CVE-2025-13004 | 1 Farktor Software E-commerce Services Inc. | 1 E-commerce Package | 2026-02-13 | 6.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables.This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2026-25530 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 4.3 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2025-14594 | 1 Gitlab | 1 Gitlab | 2026-02-13 | 3.5 Low |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API. | ||||
| CVE-2026-1080 | 1 Gitlab | 1 Gitlab | 2026-02-12 | 4.3 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint. | ||||
| CVE-2026-24136 | 1 Saleor | 1 Saleor | 2026-02-12 | 7.5 High |
| Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. | ||||
| CVE-2025-10912 | 1 Saastech Cleaning And Internet Services Inc. | 1 Temizlikyolda | 2026-02-11 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables.This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15096 | 2 Kamleshyadav, Wordpress | 2 Videospirecore Theme Plugin, Wordpress | 2026-02-11 | 8.8 High |
| The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2025-0875 | 2026-02-11 | 6.5 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This issue affects OBS (Student Affairs Information System): before v26.0328. | ||||
| CVE-2025-15147 | 2 Wclovers, Wordpress | 2 Wcfm Membership – Woocommerce Memberships For Multivendor Marketplace, Wordpress | 2026-02-10 | 4.3 Medium |
| The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments. | ||||
| CVE-2026-24773 | 2 Gunet, Openeclass | 2 Open Eclass Platform, Openeclass | 2026-02-10 | 7.5 High |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2. | ||||