Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3254 vulnerabilities reference this CWE, most recent first.

CVE-2026-1496 (GCVE-0-2026-1496)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:14 – Updated: 2026-03-27 14:36
VLAI
Title
Coverity CLI Authentication Bypass
Summary
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
Black Duck Coverity Affected: 2024.3.0 , < 2025.12.0 (custom)
Unaffected: 2024.3.0A
Unaffected: 2024.3.1A
Unaffected: 2024.3.2A
Unaffected: 2024.6.0A
Unaffected: 2024.6.1A
Unaffected: 2024.9.0A
Unaffected: 2024.9.1A
Unaffected: 2024.12.0A
Unaffected: 2024.12.1A
Unaffected: 2024.12.2
Unaffected: 2025.3.0A
Unaffected: 2025.3.1A
Unaffected: 2025.3.2
Unaffected: 2025.6.0A
Unaffected: 2025.6.2A
Unaffected: 2025.6.4
Unaffected: 2025.9.0A
Unaffected: 2025.9.2A
Unaffected: 2025.9.3
Unaffected: 2025.12.0A
Unaffected: 2025.12.1
Create a notification for this product.
Date Public
2026-03-27 13:00
Credits
Huong Kieu from Cenobe
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1496",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:35:08.919139Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:36:04.188Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Coverity",
          "vendor": "Black Duck",
          "versions": [
            {
              "lessThan": "2025.12.0",
              "status": "affected",
              "version": "2024.3.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2024.3.0A"
            },
            {
              "status": "unaffected",
              "version": "2024.3.1A"
            },
            {
              "status": "unaffected",
              "version": "2024.3.2A"
            },
            {
              "status": "unaffected",
              "version": "2024.6.0A"
            },
            {
              "status": "unaffected",
              "version": "2024.6.1A"
            },
            {
              "status": "unaffected",
              "version": "2024.9.0A"
            },
            {
              "status": "unaffected",
              "version": "2024.9.1A"
            },
            {
              "status": "unaffected",
              "version": "2024.12.0A"
            },
            {
              "status": "unaffected",
              "version": "2024.12.1A"
            },
            {
              "status": "unaffected",
              "version": "2024.12.2"
            },
            {
              "status": "unaffected",
              "version": "2025.3.0A"
            },
            {
              "status": "unaffected",
              "version": "2025.3.1A"
            },
            {
              "status": "unaffected",
              "version": "2025.3.2"
            },
            {
              "status": "unaffected",
              "version": "2025.6.0A"
            },
            {
              "status": "unaffected",
              "version": "2025.6.2A"
            },
            {
              "status": "unaffected",
              "version": "2025.6.4"
            },
            {
              "status": "unaffected",
              "version": "2025.9.0A"
            },
            {
              "status": "unaffected",
              "version": "2025.9.2A"
            },
            {
              "status": "unaffected",
              "version": "2025.9.3"
            },
            {
              "status": "unaffected",
              "version": "2025.12.0A"
            },
            {
              "status": "unaffected",
              "version": "2025.12.1"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2025.12.0",
                  "versionStartIncluding": "2024.3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.3.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.3.1a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.3.2a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.6.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.6.1a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.9.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.9.1a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.12.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.12.1a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2024.12.2:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.3.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.3.1a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.3.2:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.6.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.6.2a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.6.4:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.9.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.9.2a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.9.3:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.12.0a:*:*:*:*:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:black_duck:coverity:2025.12.1:*:*:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Huong Kieu from Cenobe"
        }
      ],
      "datePublic": "2026-03-27T13:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u0026nbsp;\u003cspan\u003eA malicious actor with access to the\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003e/token\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eAPI endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u0026nbsp;\u003c/span\u003e\u003cspan\u003eSuccessful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass.\u00a0A malicious actor with access to the\u00a0/token\u00a0API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication.\u00a0Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user\u2019s Coverity Connect account."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-384",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:14:01.871Z",
        "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "shortName": "BlackDuck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496"
        },
        {
          "tags": [
            "vendor-advisory",
            "mitigation"
          ],
          "url": "https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect"
        },
        {
          "tags": [
            "vendor-advisory",
            "mitigation"
          ],
          "url": "https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCustomers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\u003c/p\u003e\n\n\u003cp\u003ePatched versions:\u003c/p\u003e\n\n\u003cul\u003e\n \u003cli\u003e2025.12.1\u003c/li\u003e\n\u003cli\u003e2025.12.0A\u003c/li\u003e\u003cli\u003e2025.9.2A\u003c/li\u003e\u003cli\u003e2025.9.0A\u003c/li\u003e\u003cli\u003e2025.6.2A\u003c/li\u003e\u003cli\u003e2025.6.0A\u003c/li\u003e\u003cli\u003e2025.3.1A\u003c/li\u003e\u003cli\u003e2025.3.0A\u003c/li\u003e\u003cli\u003e2024.12.1A\u003c/li\u003e\u003cli\u003e2024.12.0A\u003c/li\u003e\u003cli\u003e2024.9.1A\u003c/li\u003e\u003cli\u003e\u003cspan\u003e2024.9.0A\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003cp\u003eFull Installers:\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2025.12.1\u003c/li\u003e\u003cli\u003e2025.9.3\u003c/li\u003e\u003cli\u003e2025.6.4\u003c/li\u003e\u003cli\u003e2025.3.2\u003c/li\u003e\u003cli\u003e2024.12.2\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Customers\nare recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.\n\n\n\nPatched versions:\n\n\n\n\n   *  2025.12.1\n\n  *  2025.12.0A\n  *  2025.9.2A\n  *  2025.9.0A\n  *  2025.6.2A\n  *  2025.6.0A\n  *  2025.3.1A\n  *  2025.3.0A\n  *  2024.12.1A\n  *  2024.12.0A\n  *  2024.9.1A\n  *  2024.9.0A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFull Installers:\n\n\n\n\n\n  *  2025.12.1\n  *  2025.9.3\n  *  2025.6.4\n  *  2025.3.2\n  *  2024.12.2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Coverity CLI Authentication Bypass",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
    "assignerShortName": "BlackDuck",
    "cveId": "CVE-2026-1496",
    "datePublished": "2026-03-27T14:14:01.871Z",
    "dateReserved": "2026-01-27T15:53:39.147Z",
    "dateUpdated": "2026-03-27T14:36:04.188Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1436 (GCVE-0-2026-1436)

Vulnerability from cvelistv5 – Published: 2026-02-18 13:09 – Updated: 2026-02-18 14:19
VLAI
Title
Improper Access Control (IDOR) vulnerability in Graylog Web Interface
Summary
Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
Date Public
2026-02-17 11:00
Credits
Julen Garrido Estévez (B3xal)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1436",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-18T14:19:25.627419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-18T14:19:37.438Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Graylog Web Interface",
          "vendor": "Graylog",
          "versions": [
            {
              "status": "affected",
              "version": "2.2.3"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:graylog:graylog_web_interface:2.2.3:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Julen Garrido Est\u00e9vez (B3xal)"
        }
      ],
      "datePublic": "2026-02-17T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u0026lt;IP\u0026gt;:12900/users/\u0026lt;my_user\u0026gt;\u0027 does not implement object-level authorization validations."
            }
          ],
          "value": "Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user\u0027s profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint \u0027http://\u003cIP\u003e:12900/users/\u003cmy_user\u003e\u0027 does not implement object-level authorization validations."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T13:11:34.044Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.\u003cbr\u003e"
            }
          ],
          "value": "It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control (IDOR) vulnerability in Graylog Web Interface",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2026-1436",
    "datePublished": "2026-02-18T13:09:35.443Z",
    "dateReserved": "2026-01-26T13:20:07.838Z",
    "dateUpdated": "2026-02-18T14:19:37.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1389 (GCVE-0-2026-1389)

Vulnerability from cvelistv5 – Published: 2026-01-28 07:27 – Updated: 2026-04-08 16:54
VLAI
Title
Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Itthidej Aramsri
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1389",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T14:45:32.505700Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T14:45:49.405Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
          "vendor": "bplugins",
          "versions": [
            {
              "lessThanOrEqual": "2.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Itthidej Aramsri"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the \u0027bplde_save_document_library\u0027, \u0027bplde_get_single\u0027, and \u0027bplde_delete_document_library\u0027 AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the \u0027id\u0027 parameter."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:54:55.705Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-23T21:07:02.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-01-27T19:18:50.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Document Embedder \u003c= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1389",
    "datePublished": "2026-01-28T07:27:34.729Z",
    "dateReserved": "2026-01-23T20:51:53.837Z",
    "dateUpdated": "2026-04-08T16:54:55.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1375 (GCVE-0-2026-1375)

Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 16:51
VLAI
Title
Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Athiwat Tiprasaharn Tharadol Suksamran
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:45:56.367297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:46:05.937Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Tutor LMS \u2013 eLearning and online course solution",
          "vendor": "themeum",
          "versions": [
            {
              "lessThanOrEqual": "3.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Athiwat Tiprasaharn"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Tharadol Suksamran"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:51:47.055Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1\u0026old=3339576\u0026old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-23T18:20:12.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-02T18:41:05.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Tutor LMS \u003c= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1375",
    "datePublished": "2026-02-03T07:31:23.100Z",
    "dateReserved": "2026-01-23T18:04:32.011Z",
    "dateUpdated": "2026-04-08T16:51:47.055Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1338 (GCVE-0-2026-1338)

Vulnerability from cvelistv5 – Published: 2026-05-14 05:36 – Updated: 2026-05-14 13:05
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 17.10 , < 18.9.7 (semver)
Affected: 18.10 , < 18.10.6 (semver)
Affected: 18.11 , < 18.11.3 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1338",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:05:50.413837Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:05:58.427Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.9.7",
              "status": "affected",
              "version": "17.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.10.6",
              "status": "affected",
              "version": "18.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.11.3",
              "status": "affected",
              "version": "18.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T05:36:42.333Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "HackerOne Bug Bounty Report #3480620",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3480620"
        },
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/587326"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above."
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-1338",
    "datePublished": "2026-05-14T05:36:42.333Z",
    "dateReserved": "2026-01-22T14:04:11.747Z",
    "dateUpdated": "2026-05-14T13:05:58.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1291 (GCVE-0-2026-1291)

Vulnerability from cvelistv5 – Published: 2026-06-13 08:29 – Updated: 2026-06-15 19:25
VLAI
Title
Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
Summary
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
tigroumeow Meow Gallery Affected: 0 , ≤ 5.4.4 (semver)
Create a notification for this product.
Credits
Chawabhon Netisingha
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1291",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T16:44:06.486537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T19:25:53.295Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Meow Gallery",
          "vendor": "tigroumeow",
          "versions": [
            {
              "lessThanOrEqual": "5.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Chawabhon Netisingha"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-13T08:29:40.890Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php"
        },
        {
          "url": "https://wordpress.org/plugins/meow-gallery/"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4\u0026new_path=%2Fmeow-gallery/tags/5.4.5"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-21T16:34:45.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-12T19:54:13.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Meow Gallery \u003c= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1291",
    "datePublished": "2026-06-13T08:29:40.890Z",
    "dateReserved": "2026-01-21T16:18:13.278Z",
    "dateUpdated": "2026-06-15T19:25:53.295Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1271 (GCVE-0-2026-1271)

Vulnerability from cvelistv5 – Published: 2026-02-05 09:13 – Updated: 2026-04-08 17:00
VLAI
Title
ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification
Summary
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
knani alaaeddine
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1271",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-05T14:44:53.708414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-05T14:45:08.107Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
          "vendor": "metagauss",
          "versions": [
            {
              "lessThanOrEqual": "5.9.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "knani alaaeddine"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the \u0027pm_upload_image\u0027 and \u0027pm_upload_cover_image\u0027 AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user\u0027s profile picture or cover image, including administrators."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:00:31.484Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3448434%40profilegrid-user-profiles-groups-and-communities\u0026new=3448434%40profilegrid-user-profiles-groups-and-communities\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-23T06:45:15.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-04T20:36:46.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "ProfileGrid \u003c= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1271",
    "datePublished": "2026-02-05T09:13:45.183Z",
    "dateReserved": "2026-01-20T21:46:58.650Z",
    "dateUpdated": "2026-04-08T17:00:31.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1251 (GCVE-0-2026-1251)

Vulnerability from cvelistv5 – Published: 2026-01-31 06:39 – Updated: 2026-04-08 17:05
VLAI
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Theklis Stefani
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1251",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:55:47.971261Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T17:55:57.069Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
          "vendor": "psmplugins",
          "versions": [
            {
              "lessThanOrEqual": "3.4.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Theklis Stefani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the \u0027add_reply\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the \u0027description_attachments\u0027 parameter, re-associating those files to their own tickets and removing access from the original owners."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:05:35.339Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3448376/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-20T19:19:37.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-01-23T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1251",
    "datePublished": "2026-01-31T06:39:23.182Z",
    "dateReserved": "2026-01-20T19:04:14.485Z",
    "dateUpdated": "2026-04-08T17:05:35.339Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1228 (GCVE-0-2026-1228)

Vulnerability from cvelistv5 – Published: 2026-02-06 02:23 – Updated: 2026-04-08 17:24
VLAI
Title
Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute
Summary
The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Kazuma Matsumoto
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1228",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T19:27:56.342985Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-06T19:28:05.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines)",
          "vendor": "bplugins",
          "versions": [
            {
              "lessThanOrEqual": "1.3.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kazuma Matsumoto"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Timeline Block \u2013 Beautiful Timeline Builder for WordPress (Vertical \u0026 Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the \u0027timeline_block\u0027 shortcode."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:24:31.746Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-20T13:17:45.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-05T13:39:29.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Timeline Block \u003c= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1228",
    "datePublished": "2026-02-06T02:23:38.677Z",
    "dateReserved": "2026-01-20T13:01:02.988Z",
    "dateUpdated": "2026-04-08T17:24:31.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1219 (GCVE-0-2026-1219)

Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:37
VLAI
Title
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
Summary
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Kenneth Dunn
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1219",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T20:37:24.748298Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T20:37:50.944Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar",
          "vendor": "sonaar",
          "versions": [
            {
              "lessThanOrEqual": "5.10",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kenneth Dunn"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the \u0027load_track_note_ajax\u0027 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T09:26:36.530Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3453076/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-18T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1219",
    "datePublished": "2026-02-19T09:26:36.530Z",
    "dateReserved": "2026-01-20T01:27:06.784Z",
    "dateUpdated": "2026-02-20T20:37:50.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.