Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,777 vulnerabilities with CWE-639

CVE-2026-5875 MEDIUM

Google Chrome <147.0.7727.55 - UI Spoofing

CVE-2026-35478 HIGH

InvenTree has Arbitrary API Token Creation

CVE-2026-35165 MEDIUM

LORIS has incorrect access checks in document_repository

CVE-2026-34985 MEDIUM

LORIS has incorrect access checks in media module

CVE-2026-32589 HIGH

Mirror-registry: quay: insecure direct object reference in blobupload

CVE-2026-35023 MEDIUM

Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php

CVE-2026-39616 MEDIUM

WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-39526 MEDIUM

WordPress WpStream plugin < 4.11.2 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-39510 LOW

WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Insecure Direct Object References (IDOR) vulnerability

CVE-2026-4654 MEDIUM

Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter

CVE-2026-4330 MEDIUM

Blog2Social: Social Media Auto Post & Scheduler < 8.8.3 - Authorization Bypass

CVE-2026-5167 MEDIUM

Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint

CVE-2026-39374 MEDIUM

Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

CVE-2026-39354 MEDIUM

Scoold <1.66.2 POST /questions/ask - Question Overwrite

CVE-2026-39331 HIGH

ChurchCRM <7.1.0 Family API - Authorization Bypass

CVE-2026-39384 HIGH

FreeScout Customer Merge Cross-Mailbox Authorization Bypass

CVE-2026-35584 MEDIUM

FreeScout <1.8.212 Open Tracking Endpoint - Insecure Direct Object Reference

CVE-2026-35489 HIGH

Tandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`

CVE-2026-5465 HIGH

Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter

CVE-2026-35183 HIGH

Brave CMS <2.0.6 Article Image Deletion - Insecure Direct Object Reference

CVE-2026-35173 MEDIUM

Chyrp Lite <2026.01 Post Model - Insecure Direct Object Reference

CVE-2026-35045 HIGH

Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

CVE-2026-34444 CRITICAL

Lupa <=2.6 getattr and setattr - Sandbox Escape

CVE-2026-31150 MEDIUM

Kaleris YMS 7.2.2.1 - Incorrect Access Control

CVE-2026-4896 HIGH

WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation

Previous Page 12 of 72 Next

Details

Vulnerabilities 1,777

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy