Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-639

CWE-639

High likelihood

Authorization Bypass Through User-Controlled Key

Parent: CWE-863 - Incorrect Authorization

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

1,779 vulnerabilities with CWE-639

CVE-2026-25005 MEDIUM

N-Media Frontend File Manager <=23.5 - Auth Bypass

CVE-2026-25120 LOW

Gogs < 0.14.0 - Authorization Bypass via DeleteComment API

CVE-2026-2230 MEDIUM

Booking Calendar Plugin <10.14.14 - IDOR

CVE-2026-1436 MEDIUM

Graylog 2.2.3 - Privilege Escalation

CVE-2026-1987 MEDIUM

Scheduler Widget plugin <0.1.6 - Insecure Direct Object Reference

CVE-2026-1619 HIGH

Universal Software Inc. FlexCity/Kiosk <1.0.36 - Auth Bypass

CVE-2026-1080 MEDIUM

GitLab 16.7-18.6.5, 18.7-18.7.3, 18.8-18.8.3 - Authenticated Authorization Bypass via Iterations API

CVE-2026-25530 MEDIUM

Kanboard < 1.2.50 - Authenticated Authorization Bypass via getSwimlane API

CVE-2026-25497 HIGH

Craft CMS GraphQL API - Cross-Volume Asset Privilege Escalation

CVE-2026-24900 MEDIUM

Markus < 2.9.1 - Authorization Bypass via Submission File ID Parameter

CVE-2026-25567 MEDIUM

WeKan < 8.19 - Authenticated Comment Author Spoofing via authorId Parameter

CVE-2026-25564 HIGH

WeKan < 8.19 - Insecure Direct Object Reference via Checklist Card-Board Relationship Tampering

CVE-2026-25563 HIGH

WeKan < 8.19 - Authorization Bypass via Checklist Creation IDOR

CVE-2026-25757 MEDIUM

Spree < 5.0.8 - Unauthenticated Order Information Disclosure via Order ID

CVE-2026-25758 HIGH

Spree < 4.10.3 - Unauthenticated Insecure Direct Object Reference in Guest Checkout Address Binding

CVE-2026-25574 MEDIUM

Payload < 3.74.0 - Authenticated Insecure Direct Object Reference in Preferences Collection

CVE-2026-24776 MEDIUM

OpenProject <17.0.2 - Info Disclosure

CVE-2026-2010 MEDIUM

Sanluan PublicCMS <4.0-6.202506.d - Privilege Escalation

CVE-2026-1228 MEDIUM

Timeline Block <1.3.3 - Info Disclosure

CVE-2026-1271 MEDIUM

ProfileGrid - User Profiles, Groups and Communities <5.9.7.2 - Inse...

CVE-2026-24773 HIGH

Open eClass Platform < 4.2 - Unauthenticated Insecure Direct Object Reference

CVE-2026-24991 MEDIUM

HT Plugins Extensions For CF7 <3.4.0 - Auth Bypass

CVE-2026-1664 MEDIUM

npm agents < 0.3.7 - Insecure Direct Object Reference via Email Header Spoofing

CVE-2026-1375 HIGH

Tutor LMS <=3.9.5 - Instructor Course IDOR

CVE-2026-0909 MEDIUM

WP ULike <4.8.3.1 - Insecure Direct Object Reference

Previous Page 19 of 72 Next

Details

Vulnerabilities 1,779

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy