CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3254 vulnerabilities reference this CWE, most recent first.
CVE-2026-1496 (GCVE-0-2026-1496)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:14 – Updated: 2026-03-27 14:36- CWE-639 - Authorization bypass through User-Controlled key
| URL | Tags |
|---|---|
| https://community.blackduck.com/s/article/Black-D… | vendor-advisory |
| https://community.blackduck.com/s/article/Instruc… | vendor-advisorymitigation |
| https://community.blackduck.com/s/article/WAF-IDS… | vendor-advisorymitigation |
| https://github.com/blackduck-inc/Coverity-Usage-L… | related |
| Vendor | Product | Version | |
|---|---|---|---|
| Black Duck | Coverity |
Affected:
2024.3.0 , < 2025.12.0
(custom)
Unaffected: 2024.3.0A Unaffected: 2024.3.1A Unaffected: 2024.3.2A Unaffected: 2024.6.0A Unaffected: 2024.6.1A Unaffected: 2024.9.0A Unaffected: 2024.9.1A Unaffected: 2024.12.0A Unaffected: 2024.12.1A Unaffected: 2024.12.2 Unaffected: 2025.3.0A Unaffected: 2025.3.1A Unaffected: 2025.3.2 Unaffected: 2025.6.0A Unaffected: 2025.6.2A Unaffected: 2025.6.4 Unaffected: 2025.9.0A Unaffected: 2025.9.2A Unaffected: 2025.9.3 Unaffected: 2025.12.0A Unaffected: 2025.12.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:35:08.919139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:36:04.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Coverity",
"vendor": "Black Duck",
"versions": [
{
"lessThan": "2025.12.0",
"status": "affected",
"version": "2024.3.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024.3.0A"
},
{
"status": "unaffected",
"version": "2024.3.1A"
},
{
"status": "unaffected",
"version": "2024.3.2A"
},
{
"status": "unaffected",
"version": "2024.6.0A"
},
{
"status": "unaffected",
"version": "2024.6.1A"
},
{
"status": "unaffected",
"version": "2024.9.0A"
},
{
"status": "unaffected",
"version": "2024.9.1A"
},
{
"status": "unaffected",
"version": "2024.12.0A"
},
{
"status": "unaffected",
"version": "2024.12.1A"
},
{
"status": "unaffected",
"version": "2024.12.2"
},
{
"status": "unaffected",
"version": "2025.3.0A"
},
{
"status": "unaffected",
"version": "2025.3.1A"
},
{
"status": "unaffected",
"version": "2025.3.2"
},
{
"status": "unaffected",
"version": "2025.6.0A"
},
{
"status": "unaffected",
"version": "2025.6.2A"
},
{
"status": "unaffected",
"version": "2025.6.4"
},
{
"status": "unaffected",
"version": "2025.9.0A"
},
{
"status": "unaffected",
"version": "2025.9.2A"
},
{
"status": "unaffected",
"version": "2025.9.3"
},
{
"status": "unaffected",
"version": "2025.12.0A"
},
{
"status": "unaffected",
"version": "2025.12.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:black_duck:coverity:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2025.12.0",
"versionStartIncluding": "2024.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.3.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.6.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.9.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2024.12.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.1a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.3.2:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.6.4:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.2a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.9.3:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.0a:*:*:*:*:*:*:*",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:black_duck:coverity:2025.12.1:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Huong Kieu from Cenobe"
}
],
"datePublic": "2026-03-27T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u0026nbsp;\u003cspan\u003eA malicious actor with access to the\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003e/token\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eAPI endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eSuccessful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u00a0A malicious actor with access to the\u00a0/token\u00a0API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u00a0Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account."
}
],
"impacts": [
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:14:01.871Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "BlackDuck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect"
},
{
"tags": [
"vendor-advisory",
"mitigation"
],
"url": "https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance"
},
{
"tags": [
"related"
],
"url": "https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\u003c/p\u003e\n\n\u003cp\u003ePatched versions:\u003c/p\u003e\n\n\u003cul\u003e\n \u003cli\u003e2025.12.1\u003c/li\u003e\n\u003cli\u003e2025.12.0A\u003c/li\u003e\u003cli\u003e2025.9.2A\u003c/li\u003e\u003cli\u003e2025.9.0A\u003c/li\u003e\u003cli\u003e2025.6.2A\u003c/li\u003e\u003cli\u003e2025.6.0A\u003c/li\u003e\u003cli\u003e2025.3.1A\u003c/li\u003e\u003cli\u003e2025.3.0A\u003c/li\u003e\u003cli\u003e2024.12.1A\u003c/li\u003e\u003cli\u003e2024.12.0A\u003c/li\u003e\u003cli\u003e2024.9.1A\u003c/li\u003e\u003cli\u003e\u003cspan\u003e2024.9.0A\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cp\u003eFull Installers:\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2025.12.1\u003c/li\u003e\u003cli\u003e2025.9.3\u003c/li\u003e\u003cli\u003e2025.6.4\u003c/li\u003e\u003cli\u003e2025.3.2\u003c/li\u003e\u003cli\u003e2024.12.2\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Customers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\n\n\n\nPatched versions:\n\n\n\n\n * 2025.12.1\n\n * 2025.12.0A\n * 2025.9.2A\n * 2025.9.0A\n * 2025.6.2A\n * 2025.6.0A\n * 2025.3.1A\n * 2025.3.0A\n * 2024.12.1A\n * 2024.12.0A\n * 2024.9.1A\n * 2024.9.0A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFull Installers:\n\n\n\n\n\n * 2025.12.1\n * 2025.9.3\n * 2025.6.4\n * 2025.3.2\n * 2024.12.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Coverity CLI Authentication Bypass",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "BlackDuck",
"cveId": "CVE-2026-1496",
"datePublished": "2026-03-27T14:14:01.871Z",
"dateReserved": "2026-01-27T15:53:39.147Z",
"dateUpdated": "2026-03-27T14:36:04.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1436 (GCVE-0-2026-1436)
Vulnerability from cvelistv5 – Published: 2026-02-18 13:09 – Updated: 2026-02-18 14:19- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| Graylog | Graylog Web Interface |
Affected:
2.2.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T14:19:25.627419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T14:19:37.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Graylog Web Interface",
"vendor": "Graylog",
"versions": [
{
"status": "affected",
"version": "2.2.3"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:graylog:graylog_web_interface:2.2.3:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Est\u00e9vez (B3xal)"
}
],
"datePublic": "2026-02-17T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u0026lt;IP\u0026gt;:12900/users/\u0026lt;my_user\u0026gt;\u0027 does not implement object-level authorization validations."
}
],
"value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u003cIP\u003e:12900/users/\u003cmy_user\u003e\u0027 does not implement object-level authorization validations."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T13:11:34.044Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.\u003cbr\u003e"
}
],
"value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Access Control (IDOR) vulnerability in Graylog Web Interface",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-1436",
"datePublished": "2026-02-18T13:09:35.443Z",
"dateReserved": "2026-01-26T13:20:07.838Z",
"dateUpdated": "2026-02-18T14:19:37.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1389 (GCVE-0-2026-1389)
Vulnerability from cvelistv5 – Published: 2026-01-28 07:27 – Updated: 2026-04-08 16:54- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
0 , ≤ 2.0.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:45:32.505700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:45:49.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the \u0027bplde_save_document_library\u0027, \u0027bplde_get_single\u0027, and \u0027bplde_delete_document_library\u0027 AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the \u0027id\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:54:55.705Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T21:07:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:18:50.000Z",
"value": "Disclosed"
}
],
"title": "Document Embedder \u003c= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1389",
"datePublished": "2026-01-28T07:27:34.729Z",
"dateReserved": "2026-01-23T20:51:53.837Z",
"dateUpdated": "2026-04-08T16:54:55.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1375 (GCVE-0-2026-1375)
Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 16:51- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:45:56.367297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:46:05.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Tharadol Suksamran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:47.055Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1\u0026old=3339576\u0026old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T18:20:12.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-02T18:41:05.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1375",
"datePublished": "2026-02-03T07:31:23.100Z",
"dateReserved": "2026-01-23T18:04:32.011Z",
"dateUpdated": "2026-04-08T16:51:47.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1338 (GCVE-0-2026-1338)
Vulnerability from cvelistv5 – Published: 2026-05-14 05:36 – Updated: 2026-05-14 13:05- CWE-639 - Authorization Bypass Through User-Controlled Key
| URL | Tags |
|---|---|
| https://hackerone.com/reports/3480620 | technical-descriptionexploitpermissions-required |
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://about.gitlab.com/releases/2026/05/13/patc… |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:05:50.413837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:05:58.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.9.7",
"status": "affected",
"version": "17.10",
"versionType": "semver"
},
{
"lessThan": "18.10.6",
"status": "affected",
"version": "18.10",
"versionType": "semver"
},
{
"lessThan": "18.11.3",
"status": "affected",
"version": "18.11",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T05:36:42.333Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "HackerOne Bug Bounty Report #3480620",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3480620"
},
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/587326"
},
{
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above."
}
],
"title": "Authorization Bypass Through User-Controlled Key in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-1338",
"datePublished": "2026-05-14T05:36:42.333Z",
"dateReserved": "2026-01-22T14:04:11.747Z",
"dateUpdated": "2026-05-14T13:05:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1291 (GCVE-0-2026-1291)
Vulnerability from cvelistv5 – Published: 2026-06-13 08:29 – Updated: 2026-06-15 19:25- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| tigroumeow | Meow Gallery |
Affected:
0 , ≤ 5.4.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T16:44:06.486537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T19:25:53.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Meow Gallery",
"vendor": "tigroumeow",
"versions": [
{
"lessThanOrEqual": "5.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chawabhon Netisingha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T08:29:40.890Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php"
},
{
"url": "https://wordpress.org/plugins/meow-gallery/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4\u0026new_path=%2Fmeow-gallery/tags/5.4.5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T16:34:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T19:54:13.000Z",
"value": "Disclosed"
}
],
"title": "Meow Gallery \u003c= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1291",
"datePublished": "2026-06-13T08:29:40.890Z",
"dateReserved": "2026-01-21T16:18:13.278Z",
"dateUpdated": "2026-06-15T19:25:53.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1271 (GCVE-0-2026-1271)
Vulnerability from cvelistv5 – Published: 2026-02-05 09:13 – Updated: 2026-04-08 17:00- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| metagauss | ProfileGrid – User Profiles, Groups and Communities |
Affected:
0 , ≤ 5.9.7.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:44:53.708414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:45:08.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "5.9.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "knani alaaeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the \u0027pm_upload_image\u0027 and \u0027pm_upload_cover_image\u0027 AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user\u0027s profile picture or cover image, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:31.484Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3448434%40profilegrid-user-profiles-groups-and-communities\u0026new=3448434%40profilegrid-user-profiles-groups-and-communities\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T06:45:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-04T20:36:46.000Z",
"value": "Disclosed"
}
],
"title": "ProfileGrid \u003c= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1271",
"datePublished": "2026-02-05T09:13:45.183Z",
"dateReserved": "2026-01-20T21:46:58.650Z",
"dateUpdated": "2026-04-08T17:00:31.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1251 (GCVE-0-2026-1251)
Vulnerability from cvelistv5 – Published: 2026-01-31 06:39 – Updated: 2026-04-08 17:05- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
0 , ≤ 3.4.4
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:55:47.971261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:55:57.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Theklis Stefani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the \u0027add_reply\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the \u0027description_attachments\u0027 parameter, re-associating those files to their own tickets and removing access from the original owners."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:35.339Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448376/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T19:19:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-23T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1251",
"datePublished": "2026-01-31T06:39:23.182Z",
"dateReserved": "2026-01-20T19:04:14.485Z",
"dateUpdated": "2026-04-08T17:05:35.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1228 (GCVE-0-2026-1228)
Vulnerability from cvelistv5 – Published: 2026-02-06 02:23 – Updated: 2026-04-08 17:24- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| bplugins | Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) |
Affected:
0 , ≤ 1.3.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T19:27:56.342985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:28:05.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines)",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the \u0027timeline_block\u0027 shortcode."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:31.746Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T13:17:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-05T13:39:29.000Z",
"value": "Disclosed"
}
],
"title": "Timeline Block \u003c= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1228",
"datePublished": "2026-02-06T02:23:38.677Z",
"dateReserved": "2026-01-20T13:01:02.988Z",
"dateUpdated": "2026-04-08T17:24:31.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1219 (GCVE-0-2026-1219)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:37- CWE-639 - Authorization Bypass Through User-Controlled Key
| Vendor | Product | Version | |
|---|---|---|---|
| sonaar | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar |
Affected:
4.0 , ≤ 5.10
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:37:24.748298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:37:50.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar",
"vendor": "sonaar",
"versions": [
{
"lessThanOrEqual": "5.10",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the \u0027load_track_note_ajax\u0027 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:36.530Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3453076/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1219",
"datePublished": "2026-02-19T09:26:36.530Z",
"dateReserved": "2026-01-20T01:27:06.784Z",
"dateUpdated": "2026-02-20T20:37:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.