CWE-639: Authorization Bypass Through User-Controlled Key (IDOR) — known CVE vulnerabilities
CVEs classified under CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-40805 — CVSS 10.0 (critical): Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote…
CVE-2024-45032 — CVSS 10.0 (critical): A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All…
CVE-2026-34037 — CVSS 9.9 (critical): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo()…
CVE-2026-52782 — CVSS 9.9 (critical): OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through…
CVE-2026-45552 — CVSS 9.9 (critical): Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint…
CVE-2026-29200: A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The…
CVE-2025-0987 — CVSS 9.9 (critical): Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects…
CVE-2023-3287 — CVSS 9.9 (critical): A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in…
CVE-2023-38054 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged…
CVE-2023-38053 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of…
CVE-2023-38052 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user…
CVE-2023-38051 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low…
CVE-2023-38049 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an…
CVE-2023-38048 — CVSS 9.9 (critical): A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user…
CVE-2026-12073 — CVSS 9.8 (critical): The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover…
CVE-2026-44083 — CVSS 9.8 (critical): An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then…
CVE-2026-24178 — CVSS 9.8 (critical): NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may…
CVE-2018-25270 — CVSS 9.8 (critical): ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by…
CVE-2026-2414 — CVSS 9.8 (critical): Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from…
CVE-2026-33511 — CVSS 9.8 (critical): pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the local_check…
CVE-2017-20223 — CVSS 9.8 (critical): Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers…
CVE-2026-31874 — CVSS 9.8 (critical): Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does…
CVE-2019-25487 — CVSS 9.8 (critical): SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system…
CVE-2020-37094 — CVSS 9.8 (critical): EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization…
CVE-2025-15521 — CVSS 9.8 (critical): The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via…
CVE-2026-22234 — CVSS 9.8 (critical): OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate…
CVE-2025-15018 — CVSS 9.8 (critical): The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including…
CVE-2020-36923 — CVSS 9.8 (critical): Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization…
CVE-2025-15001 — CVSS 9.8 (critical): The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…
CVE-2025-14996 — CVSS 9.8 (critical): The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all…
CVE-2025-14998 — CVSS 9.8 (critical): The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24…
CVE-2019-25235 — CVSS 9.8 (critical): Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative…
CVE-2023-53955 — CVSS 9.8 (critical): SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization…
CVE-2023-53914 — CVSS 9.8 (critical): UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass…
CVE-2025-67165 — CVSS 9.8 (critical): An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges.
CVE-2025-13615 — CVSS 9.8 (critical): The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is…
CVE-2025-58627 — CVSS 9.8 (critical): Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting…
CVE-2025-10742 — CVSS 9.8 (critical): The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is…
CVE-2025-5948 — CVSS 9.8 (critical): The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…
CVE-2025-9114 — CVSS 9.8 (critical): The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.5.0. This is due to the…
CVE-2025-45968 — CVSS 9.8 (critical): An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application…
CVE-2025-5947 — CVSS 9.8 (critical): The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and…
CVE-2025-4855 — CVSS 9.8 (critical): The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default…
CVE-2025-3605 — CVSS 9.8 (critical): The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions…
CVE-2025-3811 — CVSS 9.8 (critical): The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2…
CVE-2025-3810 — CVSS 9.8 (critical): The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2…
CVE-2024-11285 — CVSS 9.8 (critical): The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1…
CVE-2024-11284 — CVSS 9.8 (critical): The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9…
CVE-2024-10215 — CVSS 9.8 (critical): The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to…