Total
1144 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7733 | 2025-12-20 | 4.3 Medium | ||
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user. | ||||
| CVE-2022-29287 | 1 Kentico | 1 Xperience | 2025-12-19 | 4.9 Medium |
| Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password). | ||||
| CVE-2025-34436 | 1 Wwbn | 1 Avideo | 2025-12-19 | 8.8 High |
| AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks. | ||||
| CVE-2025-34438 | 1 Wwbn | 1 Avideo | 2025-12-19 | 8.1 High |
| AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video. | ||||
| CVE-2025-34437 | 2 Wwbn, Wwnb | 2 Avideo, Avideo | 2025-12-19 | 8.8 High |
| AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects. | ||||
| CVE-2025-34435 | 1 Wwbn | 1 Avideo | 2025-12-19 | 6.5 Medium |
| AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video. | ||||
| CVE-2025-10910 | 2025-12-19 | N/A | ||
| A flaw in the binding process of Govee’s cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker’s account, resulting in full control of the device and removal of the device from its legitimate owner’s account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is investigating other potentially affected models. The vendor has deployed server-side security enhancements and automatic firmware updates for model H6056. Most of H6056 devices have been successfully patched through automatic updates. Remaining H6056 users with upgradeable hardware versions must manually update firmware through the Govee Home app while keeping their device WiFi-connected. Users should open the Govee Home app, tap their H6056 device card to enter the device details page, tap the settings icon in the upper right corner, navigate to Device Information section (Firmware Version), and tap the Update button to install the security patch immediately. Govee H6056 devices with hardware versions 1.00.10 or 1.00.11 cannot receive firmware update due to hardware limitations. | ||||
| CVE-2025-1031 | 1 Utarit | 1 Soliclub | 2025-12-19 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse.This issue affects SoliClub: from 5.2.4 before 5.3.7. | ||||
| CVE-2025-14882 | 2025-12-19 | N/A | ||
| An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | ||||
| CVE-2025-64282 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through 2.2.1. | ||||
| CVE-2025-63043 | 2 Pickplugins, Wordpress | 2 Post Grid, Wordpress | 2025-12-19 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.19. | ||||
| CVE-2025-14881 | 2025-12-19 | N/A | ||
| Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | ||||
| CVE-2025-66911 | 2025-12-19 | 6.5 Medium | ||
| Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks. | ||||
| CVE-2025-64011 | 1 Nextcloud | 2 Nextcloud Server, Server | 2025-12-19 | 4.3 Medium |
| Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | ||||
| CVE-2025-43732 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-19 | 2.7 Low |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations. | ||||
| CVE-2025-10019 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-12-19 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | ||||
| CVE-2025-13110 | 2 Realmag777, Wordpress | 2 Huskys Products Filter Professional For Woocommerce, Wordpress | 2025-12-19 | 4.3 Medium |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators. | ||||
| CVE-2025-67985 | 1 Wordpress | 1 Wordpress | 2025-12-18 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7. | ||||
| CVE-2023-53930 | 1 Projectsend | 1 Projectsend | 2025-12-18 | 9.8 Critical |
| ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php. | ||||
| CVE-2023-53914 | 1 Ulicms | 1 Ulicms | 2025-12-18 | 9.8 Critical |
| UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access. | ||||