Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3234 vulnerabilities reference this CWE, most recent first.

GHSA-VV7W-FWVC-GWHJ

Vulnerability from github – Published: 2025-07-25 21:33 – Updated: 2025-07-25 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T19:15:40Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19.",
  "id": "GHSA-vv7w-fwvc-gwhj",
  "modified": "2025-07-25T21:33:50Z",
  "published": "2025-07-25T21:33:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52448"
    },
    {
      "type": "WEB",
      "url": "https://help.salesforce.com/s/articleView?id=005105043\u0026type=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVJM-MJQ4-27C8

Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31
VLAI
Details

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T19:16:44Z",
    "severity": "MODERATE"
  },
  "details": "Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users\u0027 Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.",
  "id": "GHSA-vvjm-mjq4-27c8",
  "modified": "2026-06-25T21:31:30Z",
  "published": "2026-06-25T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/issues/5829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/pull/5831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/kanboard-cross-user-deletion-of-persistent-login-sessions-via-unvalidated-session-id"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VVVQ-Q595-47G3

Vulnerability from github – Published: 2025-04-08 03:32 – Updated: 2025-04-08 03:32
VLAI
Details

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T02:15:20Z",
    "severity": "HIGH"
  },
  "details": "The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user\u0027s identity prior to updating their details like email in the \u0027st_Authentication_Controller::edit_profile\u0027 function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s email addresses, including administrators, and leverage that to reset the user\u0027s password and gain access to their account.",
  "id": "GHSA-vvvq-q595-47g3",
  "modified": "2025-04-08T03:32:37Z",
  "published": "2025-04-08T03:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2526"
    },
    {
      "type": "WEB",
      "url": "https://documentation.iqonic.design/streamit/change-log/streamit-v4-0"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/057abffb-1c52-49ca-8791-ca44f0c5a011?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VW88-9F5H-6PX5

Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-11 00:00
VLAI
Details

In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-26T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In oretnom23 Automotive Shop Management System v1.0, the name id parameter is vulnerable to IDOR - Broken Access Control allowing attackers to change the admin password(vertical privilege escalation)",
  "id": "GHSA-vw88-9f5h-6px5",
  "modified": "2022-06-11T00:00:32Z",
  "published": "2022-05-27T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nsparker1337/OpenSource/blob/main/exploit_idor_asms.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWF8-XX3V-5QW7

Vulnerability from github – Published: 2026-06-13 12:31 – Updated: 2026-06-13 12:31
VLAI
Details

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-13T10:16:18Z",
    "severity": "MODERATE"
  },
  "details": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.",
  "id": "GHSA-vwf8-xx3v-5qw7",
  "modified": "2026-06-13T12:31:25Z",
  "published": "2026-06-13T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1291"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4\u0026new_path=%2Fmeow-gallery/tags/5.4.5"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/meow-gallery"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWVX-F9WX-WJ6P

Vulnerability from github – Published: 2023-05-30 21:30 – Updated: 2024-04-04 04:23
VLAI
Details

Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za.",
  "id": "GHSA-vwvx-f9wx-wj6p",
  "modified": "2024-04-04T04:23:40Z",
  "published": "2023-05-30T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36247"
    },
    {
      "type": "WEB",
      "url": "https://www.shopbeat.co.za"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWX9-7QCF-GG7F

Vulnerability from github – Published: 2026-05-07 03:02 – Updated: 2026-05-14 20:43
VLAI
Summary
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check
Details

Summary

GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope.

The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication.

Affected versions

ShellHub Community v0.24.1 (validated).

Root cause

api/routes/nsadm.go:75-102 — membership check is skipped when c.ID() is nil:

```go var uid string if c.ID() != nil { uid = c.ID().ID }

ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant) if err != nil || ns == nil { return c.NoContent(http.StatusNotFound) }

if uid != "" { // ⚠️ skipped when API Key is used if _, ok := ns.FindMember(uid); !ok { return c.NoContent(http.StatusForbidden) } }

return c.JSON(http.StatusOK, ns) ```

AuthRequest (api/routes/auth.go:53-64) sets only X-Tenant-ID, X-Role, and X-API-KEY for API Key authentication — never X-ID. So c.Request().Header.Get("X-ID") returns "", c.ID() returns nil, and the membership check is bypassed.

Proof of concept (validated live against v0.24.1)

```bash # Attacker authenticates in their own namespace and mints an API Key ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token)

ATTACKER_KEY=$(curl -s -X POST http://target/api/namespaces/api-key \ -H "Authorization: Bearer $ATTACKER_TOKEN" \ -H 'Content-Type: application/json' \ -d '{"name":"poc","expires_at":30}' | jq -r .id)

# Baseline: same request with JWT is correctly blocked curl -i http://target/api/namespaces/ \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Observed: HTTP 403 (correct)

# Exploit: same request with API Key returns full namespace curl -i http://target/api/namespaces/ \ -H "X-API-Key: $ATTACKER_KEY" # Observed: HTTP 200 + {name, owner, tenant_id, members:[{id,email,role,added_at},...], # settings, max_devices, devices_accepted_count, type, created_at} ```

Impact

  • Enumeration of any ShellHub namespace by tenant UUID.
  • Disclosure of member e-mails, user IDs, and roles → user enumeration and targeted phishing against the victim organization.
  • Disclosure of namespace settings (session recording on/off, announcement text), device counts, namespace type, owner identity.

Suggested fix

Two layers:

  1. Primary — enforce caller-tenant match before returning the namespace, covering both JWT and API Key callers:

    go // nsadm.go GetNamespace if c.Tenant() != nil && c.Tenant().ID != req.Tenant { return c.NoContent(http.StatusForbidden) }

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.24.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/shellhub-io/shellhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T03:02:28Z",
    "nvd_published_at": "2026-05-13T22:16:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n`GET /api/namespaces/:tenant` returns the full namespace object \u2014 including the members list (user IDs, e-mails, roles), settings, and device counts \u2014 to any caller authenticated by an **API Key**, for any tenant, regardless of the API Key\u0027s own tenant scope.\n\nThe handler conditionally skips the membership check when the user ID (`X-ID`) is absent, which is exactly the case for API Key authentication.\n\n## Affected versions\nShellHub Community v0.24.1 (validated).\n\n## Root cause\n`api/routes/nsadm.go:75-102` \u2014 membership check is skipped when `c.ID()` is nil:\n\n  ```go\n  var uid string\n  if c.ID() != nil {\n      uid = c.ID().ID\n  }\n\n  ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant)\n  if err != nil || ns == nil {\n      return c.NoContent(http.StatusNotFound)\n  }\n\n  if uid != \"\" {                              // \u26a0\ufe0f skipped when API Key is used\n      if _, ok := ns.FindMember(uid); !ok {\n          return c.NoContent(http.StatusForbidden)\n      }\n  }\n\n  return c.JSON(http.StatusOK, ns)\n  ```\n\n  `AuthRequest` (`api/routes/auth.go:53-64`) sets only `X-Tenant-ID`, `X-Role`,\n  and `X-API-KEY` for API Key authentication \u2014 never `X-ID`. So\n  `c.Request().Header.Get(\"X-ID\")` returns `\"\"`, `c.ID()` returns `nil`, and\n  the membership check is bypassed.\n\n## Proof of concept (validated live against v0.24.1)\n\n  ```bash\n  # Attacker authenticates in their own namespace and mints an API Key\n  ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \u0027{\"username\":\"attacker\",\"password\":\"...\"}\u0027 | jq -r .token)\n\n  ATTACKER_KEY=$(curl -s -X POST http://target/api/namespaces/api-key \\\n    -H \"Authorization: Bearer $ATTACKER_TOKEN\" \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \u0027{\"name\":\"poc\",\"expires_at\":30}\u0027 | jq -r .id)\n\n  # Baseline: same request with JWT is correctly blocked\n  curl -i http://target/api/namespaces/\u003cvictim-tenant-uuid\u003e \\\n    -H \"Authorization: Bearer $ATTACKER_TOKEN\"\n  # Observed: HTTP 403 (correct)\n\n  # Exploit: same request with API Key returns full namespace\n  curl -i http://target/api/namespaces/\u003cvictim-tenant-uuid\u003e \\\n    -H \"X-API-Key: $ATTACKER_KEY\"\n  # Observed: HTTP 200 + {name, owner, tenant_id, members:[{id,email,role,added_at},...],\n  #                      settings, max_devices, devices_accepted_count, type, created_at}\n  ```\n\n## Impact\n  - Enumeration of any ShellHub namespace by tenant UUID.\n  - Disclosure of member e-mails, user IDs, and roles \u2192 user enumeration and targeted phishing against the victim organization.\n  - Disclosure of namespace settings (session recording on/off, announcement text), device counts, namespace type, owner identity.\n\n## Suggested fix\nTwo layers:\n\n  1. **Primary** \u2014 enforce caller-tenant match before returning the namespace, covering both JWT and API Key callers:\n\n     ```go\n     // nsadm.go GetNamespace\n     if c.Tenant() != nil \u0026\u0026 c.Tenant().ID != req.Tenant {\n         return c.NoContent(http.StatusForbidden)\n     }\n     ```",
  "id": "GHSA-vwx9-7qcf-gg7f",
  "modified": "2026-05-14T20:43:26Z",
  "published": "2026-05-07T03:02:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44426"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shellhub-io/shellhub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses  membership check"
}

GHSA-VX2F-6M6H-9FRF

Vulnerability from github – Published: 2026-06-05 21:43 – Updated: 2026-06-05 21:43
VLAI
Summary
Bugsink: Issue event views can show an event from another project if its UUID is known
Details

Description

Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.

This is a project-boundary authorization issue: a logged-in user with access to one project can view another project’s event data through an issue they are allowed to access. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target event UUID; there is no event enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.

The affected views include the stacktrace, details, and breadcrumbs pages for an issue event.

This has been fixed by requiring direct event lookups to match both the authorized issue and the project.

Impact

Low-severity cross-project event data exposure, requiring authentication and prior knowledge of a valid event UUID.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bugsink"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T21:43:23Z",
    "nvd_published_at": "2026-05-26T17:16:52Z",
    "severity": "LOW"
  },
  "details": "### Description\n\nBugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.\n\nThis is a project-boundary authorization issue: a logged-in user with access to one project can view another project\u2019s event data through an issue they are allowed to access. However, the issue is mitigated by two factors. First, the attacker needs to already know a valid target event UUID; there is no event enumeration path here, and guessing UUIDs is not practical. Second, Bugsink is commonly self-hosted within a single trust domain, and Hosted Bugsink gives each tenant a separate Bugsink instance, so cross-project access does not normally imply cross-tenant access.\n\nThe affected views include the stacktrace, details, and breadcrumbs pages for an issue event.\n\nThis has been fixed by requiring direct event lookups to match both the authorized issue and the project.\n\n### Impact\nLow-severity cross-project event data exposure, requiring authentication and prior knowledge of a valid event UUID.",
  "id": "GHSA-vx2f-6m6h-9frf",
  "modified": "2026-06-05T21:43:23Z",
  "published": "2026-06-05T21:43:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/security/advisories/GHSA-vx2f-6m6h-9frf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47715"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bugsink/bugsink"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bugsink/bugsink/releases/tag/2.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bugsink: Issue event views can show an event from another project if its UUID is known"
}

GHSA-VXGR-VW7P-4H7X

Vulnerability from github – Published: 2025-02-20 12:31 – Updated: 2026-04-08 21:33
VLAI
Details

The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T10:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.",
  "id": "GHSA-vxgr-vw7p-4h7x",
  "modified": "2026-04-08T21:33:02Z",
  "published": "2025-02-20T12:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13855"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3244276/prime-addons-for-elementor/trunk/includes/global-blocks/class-global-blocks.php"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/prime-addons-for-elementor/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac5012f2-3518-41c0-befe-597008f22152?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXRF-W6G3-6QR9

Vulnerability from github – Published: 2022-04-26 00:00 – Updated: 2022-05-05 00:00
VLAI
Details

Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-25T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.",
  "id": "GHSA-vxrf-w6g3-6qr9",
  "modified": "2022-05-05T00:00:40Z",
  "published": "2022-04-26T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openemr/openemr/commit/3af1f4a28a8df0e446043232214ed08cc8e0889d"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/690a8ec5-64fc-4180-9f1f-c3c599bae0a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.