Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3226 vulnerabilities reference this CWE, most recent first.

GHSA-WWHQ-CX22-F7VV

Vulnerability from github – Published: 2026-05-14 20:25 – Updated: 2026-05-15 23:54
VLAI
Summary
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
Details

Summary

An IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (v0.8.12) of Open WebUI.

Details

In the update_message_by_id function, for group or dm type channels, only the caller's membership in the channel is checked via the is_user_channel_member function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows (https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :

if channel.type in ['group', 'dm']:
    if not Channels.is_user_channel_member(channel.id, user.id, db=db):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
else:
    if (
        user.role != 'admin'
        and message.user_id != user.id
        and not channel_has_access(user.id, channel, permission='write', strict=False, db=db)
    ):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())

try:
    message = Messages.update_message_by_id(message_id, form_data, db=db)

Non-group/dm types include a check for the user ID, while the group/dm type clearly lacks this verification.

PoC

The Channels feature is disabled by default and can be enabled first through the admin interface. image

Create a group type channel with members including users test1 and test2.

POST /api/v1/channels/create HTTP/1.1
Content-Type: application/json

{
  "name": "idor-test-group",
  "type": "group",
  "user_ids": [
    "cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c",
    "b9997496-ff80-4c30-a366-95474f85e62b"
  ]
}

User test2 sends a message in the channel.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test2_token>

{"content":"This is test2 secret message"}

User test1 can directly modify the message that test2 just sent.

POST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1
Content-Type: application/json
Authorization: Bearer <test1_token>

{"content":"HACKED BY TEST1 - message tampered!"}

image

Messages sent by administrators can also be modified.

image

Impact

Malicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.

Suggested Fix

Add a message ownership check in the group/dm branch of channels.py.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:25:40Z",
    "nvd_published_at": "2026-05-15T21:16:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`.\n\n### Details\nIn the `update_message_by_id` function, for `group` or `dm` type channels, only the caller\u0027s membership in the channel is checked via the `is_user_channel_member` function, without verifying message ownership. This allows any channel member to modify messages sent by other members within the same channel. The problematic code is as follows [(https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355)](https://github.com/open-webui/open-webui/blob/main/backend/open_webui/routers/channels.py#L1355) :\n\n```python\nif channel.type in [\u0027group\u0027, \u0027dm\u0027]:\n    if not Channels.is_user_channel_member(channel.id, user.id, db=db):\n        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\nelse:\n    if (\n        user.role != \u0027admin\u0027\n        and message.user_id != user.id\n        and not channel_has_access(user.id, channel, permission=\u0027write\u0027, strict=False, db=db)\n    ):\n        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())\n\ntry:\n    message = Messages.update_message_by_id(message_id, form_data, db=db)\n```\n\nNon-group/dm types include a check for the user ID, while the `group/dm` type clearly lacks this verification.\n\n### PoC\nThe `Channels` feature is disabled by default and can be enabled first through the `admin` interface.\n\u003cimg width=\"1024\" height=\"618\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a36502e9-c6cd-41cd-a69c-8b6ac809768f\" /\u003e\n\nCreate a `group` type channel with members including users `test1` and `test2`.\n\n```\nPOST /api/v1/channels/create HTTP/1.1\nContent-Type: application/json\n\n{\n  \"name\": \"idor-test-group\",\n  \"type\": \"group\",\n  \"user_ids\": [\n    \"cfc3cb19-9e92-4bf7-8b72-1b47fe4ff62c\",\n    \"b9997496-ff80-4c30-a366-95474f85e62b\"\n  ]\n}\n```\n\nUser `test2` sends a message in the channel.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/post HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest2_token\u003e\n\n{\"content\":\"This is test2 secret message\"}\n```\n\nUser `test1` can directly modify the message that `test2` just sent.\n\n```\nPOST /api/v1/channels/9cff5240-6b22-4c85-bf74-b8dbfe471b16/messages/e0824c09-5712-4400-9b7a-b08eefcf15d3/update HTTP/1.1\nContent-Type: application/json\nAuthorization: Bearer \u003ctest1_token\u003e\n\n{\"content\":\"HACKED BY TEST1 - message tampered!\"}\n```\n\u003cimg width=\"1024\" height=\"216\" alt=\"image\" src=\"https://github.com/user-attachments/assets/77646d01-d501-4732-ac37-3ffb69f9f01f\" /\u003e\n\nMessages sent by administrators can also be modified.\n\n\u003cimg width=\"1024\" height=\"419\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b32dc5eb-f810-41d3-b358-f000d8331761\" /\u003e\n\n\n### Impact\nMalicious users can arbitrarily tamper with messages published by other users (including administrators), allowing them to disseminate false information.\n\n### Suggested Fix\nAdd a message ownership check in the `group/dm` branch of `channels.py`.",
  "id": "GHSA-wwhq-cx22-f7vv",
  "modified": "2026-05-15T23:54:10Z",
  "published": "2026-05-14T20:25:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-wwhq-cx22-f7vv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45385"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint"
}

GHSA-WWJF-GWRV-WH45

Vulnerability from github – Published: 2024-11-07 15:31 – Updated: 2024-11-07 18:26
VLAI
Summary
Moodle's IDOR in badges allows deletion of arbitrary badges
Details

A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-beta"
            },
            {
              "fixed": "4.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-beta"
            },
            {
              "fixed": "4.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T18:26:56Z",
    "nvd_published_at": "2024-11-07T14:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.",
  "id": "GHSA-wwjf-gwrv-wh45",
  "modified": "2024-11-07T18:26:57Z",
  "published": "2024-11-07T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43431"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=461199"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Moodle\u0027s IDOR in badges allows deletion of arbitrary badges"
}

GHSA-WX3F-PJJP-293H

Vulnerability from github – Published: 2025-02-13 09:31 – Updated: 2025-02-13 09:31
VLAI
Details

The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-13T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.",
  "id": "GHSA-wx3f-pjjp-293h",
  "modified": "2025-02-13T09:31:26Z",
  "published": "2025-02-13T09:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0661"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3236114/dethemekit-for-elementor/trunk/admin/includes/dep/admin-helper.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e2c937c-1ff8-4bcc-913b-83bade37d754?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX3H-GCG8-JH5R

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:22Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.",
  "id": "GHSA-wx3h-gcg8-jh5r",
  "modified": "2026-05-14T06:31:33Z",
  "published": "2026-05-14T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3074"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3556163"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXP2-F9FF-28C6

Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2026-04-08 18:34
VLAI
Details

The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12883"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T04:15:40Z",
    "severity": "MODERATE"
  },
  "details": "The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.",
  "id": "GHSA-wxp2-f9ff-28c6",
  "modified": "2026-04-08T18:34:00Z",
  "published": "2025-12-12T06:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12883"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=/campay-api/tags/1.2.2\u0026new_path=/campay-api/tags/1.2.3\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/campay-api"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f12fa00-6108-4bd4-9310-8558211f4d0f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXXJ-XQH4-VHM2

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2023-05-16 21:30
VLAI
Details

Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-17T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource\u0027s URL can access the resource directly.",
  "id": "GHSA-wxxj-xqh4-vhm2",
  "modified": "2023-05-16T21:30:17Z",
  "published": "2022-05-24T17:09:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18998"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-072-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X26H-XMV8-GXF7

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)
Details

Summary

On a multi-tenant stigmem node, RTBF (right-to-be-forgotten) tombstones were mis-scoped two ways. (1) issue_tombstone defaulted the tenant to "default" instead of the caller's tenant, so tombstones could be written to the wrong tenant. (2) The read-suppression path — _get_tombstone_filter (routes/facts/common.py) and the _tombstone_scope_cache (lifecycle/tombstones.py) — had no tenant_id predicate, so tombstone suppression was applied tenant-blind across fact queries and provenance. Reached via /v1/tombstones and the fact query/provenance read paths.

Impact

Cross-tenant integrity of the RTBF mechanism: a tenant's deletion request could be recorded against the wrong tenant, and tombstone suppression could hide — or fail to hide — facts across tenant boundaries, undermining both data-view correctness and RTBF guarantees.

Affected configurations

This is a cross-tenant break. It is exploitable only on deployments running the opt-in stigmem-plugin-multi-tenant (multiple tenants on one node). A default single-tenant node has only tenant="default" — there is no second tenant to cross — so it is not exploitable on default deployments. The rating is HIGH for the multi-tenant deployments the plugin exists to isolate.

Patches

Fixed in 0.9.0a12 (PR #728): identity.tenant_id is passed from issue_tombstone into create_tombstone (no more "default" fallback); AND tenant_id = ? was added to _get_tombstone_filter and get_tombstone_status; the suppression cache is re-keyed to include tenant; and all four read call sites thread the caller's tenant. A tenant-B tombstone now suppresses only tenant-B facts and is invisible to tenant-A reads.

Workarounds

None other than upgrading to 0.9.0a12. Single-tenant deployments are unaffected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "stigmem-node"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0a12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:57Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nOn a multi-tenant stigmem node, RTBF (right-to-be-forgotten) tombstones were mis-scoped two ways. (1) `issue_tombstone` defaulted the tenant to `\"default\"` instead of the caller\u0027s tenant, so tombstones could be written to the wrong tenant. (2) The read-suppression path \u2014 `_get_tombstone_filter` (`routes/facts/common.py`) and the `_tombstone_scope_cache` (`lifecycle/tombstones.py`) \u2014 had no `tenant_id` predicate, so tombstone suppression was applied tenant-blind across fact queries and provenance. Reached via `/v1/tombstones` and the fact query/provenance read paths.\n\n### Impact\nCross-tenant integrity of the RTBF mechanism: a tenant\u0027s deletion request could be recorded against the wrong tenant, and tombstone suppression could hide \u2014 or fail to hide \u2014 facts across tenant boundaries, undermining both data-view correctness and RTBF guarantees.\n\n### Affected configurations\nThis is a cross-**tenant** break. It is exploitable **only** on deployments running the opt-in `stigmem-plugin-multi-tenant` (multiple tenants on one node). A default single-tenant node has only `tenant=\"default\"` \u2014 there is no second tenant to cross \u2014 so it is **not exploitable** on default deployments. The rating is HIGH for the multi-tenant deployments the plugin exists to isolate.\n\n### Patches\nFixed in `0.9.0a12` (PR #728): `identity.tenant_id` is passed from `issue_tombstone` into `create_tombstone` (no more `\"default\"` fallback); `AND tenant_id = ?` was added to `_get_tombstone_filter` and `get_tombstone_status`; the suppression cache is re-keyed to include tenant; and all four read call sites thread the caller\u0027s tenant. A tenant-B tombstone now suppresses only tenant-B facts and is invisible to tenant-A reads.\n\n### Workarounds\nNone other than upgrading to `0.9.0a12`. Single-tenant deployments are unaffected.",
  "id": "GHSA-x26h-xmv8-gxf7",
  "modified": "2026-06-19T21:42:57Z",
  "published": "2026-06-19T21:42:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-x26h-xmv8-gxf7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eidetic-labs/stigmem/pull/728"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eidetic-labs/stigmem"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)"
}

GHSA-X26P-4QC2-77FW

Vulnerability from github – Published: 2025-05-01 12:31 – Updated: 2025-05-01 12:31
VLAI
Details

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T12:15:17Z",
    "severity": "MODERATE"
  },
  "details": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.",
  "id": "GHSA-x26p-4qc2-77fw",
  "modified": "2025-05-01T12:31:16Z",
  "published": "2025-05-01T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3874"
    },
    {
      "type": "WEB",
      "url": "https://developer.wordpress.org/reference/functions/wp_generate_password"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3284572"
    },
    {
      "type": "WEB",
      "url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2FP-HJ8C-MMXH

Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-24 20:57
VLAI
Summary
Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog
Details

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T18:12:55Z",
    "nvd_published_at": "2026-05-21T21:16:33Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data.",
  "id": "GHSA-x2fp-hj8c-mmxh",
  "modified": "2026-06-24T20:57:23Z",
  "published": "2026-05-21T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8204"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog"
}

GHSA-X2H9-8XX4-4XFR

Vulnerability from github – Published: 2024-05-22 18:30 – Updated: 2024-05-22 18:30
VLAI
Details

An Insecure Direct Object Reference in Google Cloud's Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T17:16:15Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference in Google Cloud\u0027s Looker allowed metadata exposure across authenticated Looker users sharing the same LookML model.",
  "id": "GHSA-x2h9-8xx4-4xfr",
  "modified": "2024-05-22T18:30:42Z",
  "published": "2024-05-22T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5166"
    },
    {
      "type": "WEB",
      "url": "https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.