Total
1425 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1704 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter. | |||||
| CVE-2026-2879 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user — including Administrators — effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker. | |||||
| CVE-2026-2888 | 2026-03-16 | N/A | 5.3 MEDIUM | ||
| The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services. | |||||
| CVE-2026-3999 | 2026-03-16 | N/A | N/A | ||
| A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations. | |||||
| CVE-2017-20223 | 2026-03-16 | N/A | 9.8 CRITICAL | ||
| Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls. | |||||
| CVE-2026-1947 | 2026-03-16 | N/A | 7.5 HIGH | ||
| The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter. | |||||
| CVE-2026-4171 | 2026-03-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3020 | 2026-03-16 | N/A | N/A | ||
| Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts | |||||
| CVE-2026-1883 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users. | |||||
| CVE-2026-30969 | 1 Coralos | 1 Coral Server | 2026-03-13 | N/A | 9.1 CRITICAL |
| Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authentication between agents and the server within an active session. This could allow an attacker who obtained or predicted a session identifier to impersonate an agent or join an existing session. This vulnerability is fixed in 1.1.0. | |||||
| CVE-2025-62166 | 1 Freshrss | 1 Freshrss | 2026-03-13 | N/A | 7.5 HIGH |
| FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0. | |||||
| CVE-2026-28433 | 1 Misskey | 1 Misskey | 2026-03-13 | N/A | 4.3 MEDIUM |
| Misskey is an open source, federated social media platform. All Misskey servers running versions 10.93.0 and later, but prior to 2026.3.1, contain a vulnerability that allows importing other users' data due to lack of ownership validation. The impact of this vulnerability is estimated to be relatively low, as bad actors would require the ID corresponding to the target file for import. This vulnerability is fixed in 2026.3.1. | |||||
| CVE-2026-30885 | 1 Wwbn | 1 Avideo | 2026-03-13 | N/A | 5.3 MEDIUM |
| WWBN AVideo is an open source video platform. Prior to 25.0, the /objects/playlistsFromUser.json.php endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform. This vulnerability is fixed in 25.0. | |||||
| CVE-2026-30927 | 1 Admidio | 1 Admidio | 2026-03-13 | N/A | 5.4 MEDIUM |
| Admidio is an open-source user management solution. Prior to 5.0.6, in modules/events/events_function.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the user_uuid GET parameter. The condition uses || (OR), meaning if possibleToParticipate() returns true (event is open for participation), ANY user - not just leaders - can specify a different user_uuid and register/cancel participation for that user. The code then operates on $user->getValue('usr_id') (the target user from user_uuid) rather than the current user. This vulnerability is fixed in 5.0.6. | |||||
| CVE-2025-67298 | 2026-03-12 | N/A | 8.1 HIGH | ||
| An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile | |||||
| CVE-2019-25487 | 2026-03-12 | N/A | 9.8 CRITICAL | ||
| SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges. | |||||
| CVE-2026-2366 | 2026-03-12 | N/A | 3.1 LOW | ||
| A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled. | |||||
| CVE-2026-3306 | 1 Github | 1 Enterprise Server | 2026-03-12 | N/A | 4.3 MEDIUM |
| An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3. | |||||
| CVE-2026-30959 | 1 Hackerbay | 1 Oneuptime | 2026-03-12 | N/A | 5.0 MEDIUM |
| OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service. | |||||
| CVE-2026-30920 | 1 Hackerbay | 1 Oneuptime | 2026-03-12 | N/A | 8.6 HIGH |
| OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19. | |||||