CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-1987 (GCVE-0-2026-1987)
Vulnerability from cvelistv5 – Published: 2026-02-14 06:42 – Updated: 2026-04-08 17:34
VLAI
Title
Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification
Summary
The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
Severity
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| morelmathieuj | Scheduler Widget |
Affected:
0 , ≤ 0.1.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T15:36:28.901404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T15:45:11.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scheduler Widget",
"vendor": "morelmathieuj",
"versions": [
{
"lessThanOrEqual": "0.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MD. TAREQ AHAMED JONY"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:57.193Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd5f370c-743f-41f1-80ab-7f0805cae38c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/trunk/scheduler-widget.php#L158"
},
{
"url": "https://plugins.trac.wordpress.org/browser/scheduler-widget/tags/0.1.6/scheduler-widget.php#L158"
},
{
"url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References"
},
{
"url": "https://cwe.mitre.org/data/definitions/639.html"
},
{
"url": "https://cwe.mitre.org/data/definitions/862.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T18:27:43.000Z",
"value": "Disclosed"
}
],
"title": "Scheduler Widget \u003c= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1987",
"datePublished": "2026-02-14T06:42:37.284Z",
"dateReserved": "2026-02-05T15:13:29.984Z",
"dateUpdated": "2026-04-08T17:34:57.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1992 (GCVE-0-2026-1992)
Vulnerability from cvelistv5 – Published: 2026-03-11 09:25 – Updated: 2026-03-11 13:30
VLAI
Title
ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Affected:
8.0.0 , ≤ 9.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T13:29:03.679877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:30:00.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ali S\u00fcnb\u00fcl"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user\u0027s ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator\u0027s user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T09:25:43.399Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894\u0026old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T16:28:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-10T21:00:15.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1992",
"datePublished": "2026-03-11T09:25:43.399Z",
"dateReserved": "2026-02-05T16:08:52.114Z",
"dateUpdated": "2026-03-11T13:30:00.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20219 (GCVE-0-2026-20219)
Vulnerability from cvelistv5 – Published: 2026-05-06 17:10 – Updated: 2026-05-06 19:09
VLAI
Summary
A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed.
This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results.
Severity
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Webex Meetings |
Affected:
39.10
Affected: 39.11 Affected: 39.6 Affected: 39.7 Affected: 39.7.4 Affected: 39.7.7 Affected: 39.8 Affected: 39.8.2 Affected: 39.8.3 Affected: 39.8.4 Affected: 39.9 Affected: 39.9.1 Affected: 40.1 Affected: 40.2 Affected: 40.4 Affected: 40.4.10 Affected: 40.6 Affected: 40.6.2 Affected: 42.10 Affected: 42.11 Affected: 42.6 Affected: 42.9 Affected: 42.12 Affected: 42.7 Affected: 43.1 Affected: 43.4 Affected: 43.4.2 Affected: 43.5.0 Affected: 43.4.1 |
|
| Cisco | Cisco Slido |
Affected:
N/A
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:08:45.650631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:09:39.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Webex Meetings",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "39.10"
},
{
"status": "affected",
"version": "39.11"
},
{
"status": "affected",
"version": "39.6"
},
{
"status": "affected",
"version": "39.7"
},
{
"status": "affected",
"version": "39.7.4"
},
{
"status": "affected",
"version": "39.7.7"
},
{
"status": "affected",
"version": "39.8"
},
{
"status": "affected",
"version": "39.8.2"
},
{
"status": "affected",
"version": "39.8.3"
},
{
"status": "affected",
"version": "39.8.4"
},
{
"status": "affected",
"version": "39.9"
},
{
"status": "affected",
"version": "39.9.1"
},
{
"status": "affected",
"version": "40.1"
},
{
"status": "affected",
"version": "40.2"
},
{
"status": "affected",
"version": "40.4"
},
{
"status": "affected",
"version": "40.4.10"
},
{
"status": "affected",
"version": "40.6"
},
{
"status": "affected",
"version": "40.6.2"
},
{
"status": "affected",
"version": "42.10"
},
{
"status": "affected",
"version": "42.11"
},
{
"status": "affected",
"version": "42.6"
},
{
"status": "affected",
"version": "42.9"
},
{
"status": "affected",
"version": "42.12"
},
{
"status": "affected",
"version": "42.7"
},
{
"status": "affected",
"version": "43.1"
},
{
"status": "affected",
"version": "43.4"
},
{
"status": "affected",
"version": "43.4.2"
},
{
"status": "affected",
"version": "43.5.0"
},
{
"status": "affected",
"version": "43.4.1"
}
]
},
{
"product": "Cisco Slido",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed.\r\n\r This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T17:10:46.343Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-slido-idor-CpsFmKxN",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-slido-idor-CpsFmKxN"
}
],
"source": {
"advisory": "cisco-sa-slido-idor-CpsFmKxN",
"defects": [
"CSCwt90572"
],
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20219",
"datePublished": "2026-05-06T17:10:46.343Z",
"dateReserved": "2025-10-08T11:59:15.398Z",
"dateUpdated": "2026-05-06T19:09:39.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2028 (GCVE-0-2026-2028)
Vulnerability from cvelistv5 – Published: 2026-04-24 03:27 – Updated: 2026-04-24 13:59
VLAI
Title
Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter
Summary
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ckp267 | MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites |
Affected:
0 , ≤ 2.1.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:58:56.361470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:59:29.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons \u0026 Starter Sites",
"vendor": "ckp267",
"versions": [
{
"lessThanOrEqual": "2.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teerachai Somprasong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the \u0027maxi_remove_custom_image_size\u0027 AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:27:06.728Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f50c31df-56d0-4c34-a93c-56198fe91b36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/trunk/core/class-maxi-image-crop.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/maxi-blocks/tags/2.1.7/core/class-maxi-image-crop.php#L44"
},
{
"url": "https://github.com/maxi-blocks/maxi-blocks/commit/3dff1db57bfb4e6c14fa7fd42037178d1d0ce199"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3476709%40maxi-blocks\u0026new=3476709%40maxi-blocks\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3476709/maxi-blocks/trunk/core/class-maxi-image-crop.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T10:47:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T14:43:34.000Z",
"value": "Disclosed"
}
],
"title": "Maxi Blocks \u003c= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via \u0027old_media_src\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2028",
"datePublished": "2026-04-24T03:27:06.728Z",
"dateReserved": "2026-02-05T21:46:52.497Z",
"dateUpdated": "2026-04-24T13:59:29.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20897 (GCVE-0-2026-20897)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-23 21:54
VLAI
Title
Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Summary
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Severity
9.1 (Critical)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/go-gitea/gitea/security/adviso… | vendor-advisory |
| https://github.com/go-gitea/gitea/pull/36344 | patch |
| https://github.com/go-gitea/gitea/pull/36349 | patch |
| https://github.com/go-gitea/gitea/releases/tag/v1.25.4 | release-notes |
| https://blog.gitea.com/release-of-1.25.4/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T17:56:55.236953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T21:54:06.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:51.508Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-rrq5-r9h5-pc7c"
},
{
"name": "GitHub Pull Request #36344",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36344"
},
{
"name": "GitHub Pull Request #36349",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36349"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20897",
"datePublished": "2026-01-22T22:01:51.508Z",
"dateReserved": "2026-01-08T23:02:37.525Z",
"dateUpdated": "2026-01-23T21:54:06.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20904 (GCVE-0-2026-20904)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-23 21:53
VLAI
Title
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes
Summary
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Severity
6.5 (Medium)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/go-gitea/gitea/security/adviso… | vendor-advisory |
| https://github.com/go-gitea/gitea/pull/36346 | patch |
| https://github.com/go-gitea/gitea/pull/36361 | patch |
| https://github.com/go-gitea/gitea/releases/tag/v1.25.4 | release-notes |
| https://blog.gitea.com/release-of-1.25.4/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T17:52:05.088654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T21:53:53.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users\u0027 OpenID identities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:51.762Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-jrpc-w85r-hgqx"
},
{
"name": "GitHub Pull Request #36346",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36346"
},
{
"name": "GitHub Pull Request #36361",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36361"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20904",
"datePublished": "2026-01-22T22:01:51.762Z",
"dateReserved": "2026-01-08T23:02:37.537Z",
"dateUpdated": "2026-01-23T21:53:53.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20912 (GCVE-0-2026-20912)
Vulnerability from cvelistv5 – Published: 2026-01-22 22:01 – Updated: 2026-01-23 21:53
VLAI
Title
Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure
Summary
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Severity
9.1 (Critical)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/go-gitea/gitea/security/adviso… | vendor-advisory |
| https://github.com/go-gitea/gitea/pull/36320 | patch |
| https://github.com/go-gitea/gitea/pull/36355 | patch |
| https://github.com/go-gitea/gitea/releases/tag/v1.25.4 | release-notes |
| https://blog.gitea.com/release-of-1.25.4/ | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitea | Gitea Open Source Git Server |
Affected:
0 , ≤ 1.25.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-23T17:51:12.073308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T21:53:41.649Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gitea Open Source Git Server",
"vendor": "Gitea",
"versions": [
{
"lessThanOrEqual": "1.25.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "spingARbor"
}
],
"descriptions": [
{
"lang": "en",
"value": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T22:01:52.026Z",
"orgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"shortName": "Gitea"
},
"references": [
{
"name": "GitHub Security Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"
},
{
"name": "GitHub Pull Request #36320",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36320"
},
{
"name": "GitHub Pull Request #36355",
"tags": [
"patch"
],
"url": "https://github.com/go-gitea/gitea/pull/36355"
},
{
"name": "Gitea v1.25.4 Release",
"tags": [
"release-notes"
],
"url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
},
{
"name": "Gitea v1.25.4 Release Blog Post",
"tags": [
"release-notes"
],
"url": "https://blog.gitea.com/release-of-1.25.4/"
}
],
"title": "Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "88ee5874-cf24-4952-aea0-31affedb7ff2",
"assignerShortName": "Gitea",
"cveId": "CVE-2026-20912",
"datePublished": "2026-01-22T22:01:52.026Z",
"dateReserved": "2026-01-08T23:02:37.548Z",
"dateUpdated": "2026-01-23T21:53:41.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2104 (GCVE-0-2026-2104)
Vulnerability from cvelistv5 – Published: 2026-04-08 22:25 – Updated: 2026-04-09 15:43
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/3541476 | technical-descriptionexploitpermissions-required |
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://about.gitlab.com/releases/2026/04/08/patc… |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T15:43:15.918452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T15:43:25.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.8.9",
"status": "affected",
"version": "18.2",
"versionType": "semver"
},
{
"lessThan": "18.9.5",
"status": "affected",
"version": "18.9",
"versionType": "semver"
},
{
"lessThan": "18.10.3",
"status": "affected",
"version": "18.10",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [ahacker1](https://hackerone.com/ahacker1) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T22:25:47.858Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "HackerOne Bug Bounty Report #3541476",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3541476"
},
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/589021"
},
{
"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above."
}
],
"title": "Authorization Bypass Through User-Controlled Key in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-2104",
"datePublished": "2026-04-08T22:25:47.858Z",
"dateReserved": "2026-02-06T14:04:19.833Z",
"dateUpdated": "2026-04-09T15:43:25.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21409 (GCVE-0-2026-21409)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:15 – Updated: 2026-01-09 18:11
VLAI
Summary
Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved.
Severity
CWE
- CWE-639 - Authorization bypass through user-controlled key
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ricoh Company, Ltd. | RICOH Streamline NX |
Affected:
3.5.1 to 24R3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:11:32.736478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:11:55.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RICOH Streamline NX",
"vendor": "Ricoh Company, Ltd.",
"versions": [
{
"status": "affected",
"version": "3.5.1 to 24R3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user\u0027s registration information and/or OIDC (OpenID Connect) tokens may be retrieved."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization bypass through user-controlled key",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:15:52.994Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011"
},
{
"url": "https://jvn.jp/en/jp/JVN12770174/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-21409",
"datePublished": "2026-01-09T07:15:52.994Z",
"dateReserved": "2025-12-24T07:24:57.904Z",
"dateUpdated": "2026-01-09T18:11:55.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21447 (GCVE-0-2026-21447)
Vulnerability from cvelistv5 – Published: 2026-01-02 20:15 – Updated: 2026-01-02 21:30
VLAI
Title
Bagisto has IDOR in Customer Order Reorder Functionality
Summary
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
Severity
7.1 (High)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bagisto/bagisto/security/advis… | x_refsource_CONFIRM |
| https://github.com/bagisto/bagisto/commit/b2b1cf6… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21447",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T21:30:27.531357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T21:30:38.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bagisto",
"vendor": "bagisto",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer\u0027s order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T20:15:11.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm"
},
{
"name": "https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3"
}
],
"source": {
"advisory": "GHSA-x5rw-qvvp-5cgm",
"discovery": "UNKNOWN"
},
"title": "Bagisto has IDOR in Customer Order Reorder Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21447",
"datePublished": "2026-01-02T20:15:11.750Z",
"dateReserved": "2025-12-29T03:00:29.277Z",
"dateUpdated": "2026-01-02T21:30:38.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.