Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3256 vulnerabilities reference this CWE, most recent first.

CVE-2026-3453 (GCVE-0-2026-3453)

Vulnerability from cvelistv5 – Published: 2026-03-11 02:22 – Updated: 2026-04-08 17:01
VLAI
Title
ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration
Summary
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
Supanat Konprom
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3453",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T15:38:16.449248Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:39:47.219Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026 Restrict Content \u2013 ProfilePress",
          "vendor": "properfraction",
          "versions": [
            {
              "lessThanOrEqual": "4.16.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Supanat Konprom"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user\u0027s active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:01:14.561Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L237"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L334"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L342"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3474509/wp-user-avatar/trunk/src/Membership/Controllers/CheckoutController.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-02T18:11:34.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-10T14:08:52.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "ProfilePress \u003c= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3453",
    "datePublished": "2026-03-11T02:22:46.456Z",
    "dateReserved": "2026-03-02T17:56:22.573Z",
    "dateUpdated": "2026-04-08T17:01:14.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3371 (GCVE-0-2026-3371)

Vulnerability from cvelistv5 – Published: 2026-04-11 01:25 – Updated: 2026-04-13 15:15
VLAI
Title
Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Hunter Jensen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3371",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T15:10:52.681017Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T15:15:07.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Tutor LMS \u2013 eLearning and online course solution",
          "vendor": "themeum",
          "versions": [
            {
              "lessThanOrEqual": "3.9.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hunter Jensen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler\u0027s `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-11T01:25:01.083Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-27T19:33:20.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-10T12:00:50.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Tutor LMS \u003c= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3371",
    "datePublished": "2026-04-11T01:25:01.083Z",
    "dateReserved": "2026-02-27T22:04:08.540Z",
    "dateUpdated": "2026-04-13T15:15:07.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3321 (GCVE-0-2026-3321)

Vulnerability from cvelistv5 – Published: 2026-03-30 13:17 – Updated: 2026-03-30 15:32
VLAI
Title
Authorization Bypass in ON24 Q&A chat
Summary
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
Impacted products
Vendor Product Version
ON24 ON24 Q&A chat Affected: 0 , ≤ * (custom)
Create a notification for this product.
Date Public
2026-03-30 10:00
Credits
Samuel de Lucas Maroto
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3321",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T15:32:27.722367Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T15:32:43.386Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ON24 Q\u0026A chat",
          "vendor": "ON24",
          "versions": [
            {
              "lessThanOrEqual": "*",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:on24:on24_q_a_chat:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "*",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuel de Lucas Maroto"
        }
      ],
      "datePublic": "2026-03-30T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability of authorization bypass through user-controlled key in the \u0027console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/\u0027 endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q\u0026amp;A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages."
            }
          ],
          "value": "A vulnerability of authorization bypass through user-controlled key in the \u0027console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/\u0027 endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q\u0026A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T13:17:51.425Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-on24-qa-chat"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authorization Bypass in ON24 Q\u0026A chat",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2026-3321",
    "datePublished": "2026-03-30T13:17:51.425Z",
    "dateReserved": "2026-02-27T10:16:13.144Z",
    "dateUpdated": "2026-03-30T15:32:43.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3307 (GCVE-0-2026-3307)

Vulnerability from cvelistv5 – Published: 2026-04-21 22:23 – Updated: 2026-04-22 18:00
VLAI
Title
Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers
Summary
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.24 (semver)
Affected: 3.15.0 , ≤ 3.15.19 (semver)
Affected: 3.16.0 , ≤ 3.16.15 (semver)
Affected: 3.17.0 , ≤ 3.17.12 (semver)
Affected: 3.18.0 , ≤ 3.18.6 (semver)
Affected: 3.19.0 , ≤ 3.19.3 (semver)
Affected: 3.20 , ≤ 3.20.0 (semver)
Create a notification for this product.
Credits
ahacker1
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3307",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T17:59:58.981543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T18:00:21.619Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Enterprise Server",
          "vendor": "GitHub",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.14.25",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.14.24",
              "status": "affected",
              "version": "3.14.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.15.20",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.15.19",
              "status": "affected",
              "version": "3.15.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.16.16",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.16.15",
              "status": "affected",
              "version": "3.16.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.17.13",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.17.12",
              "status": "affected",
              "version": "3.17.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.18.7",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.18.6",
              "status": "affected",
              "version": "3.18.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.19.4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.19.3",
              "status": "affected",
              "version": "3.19.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.20.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.20.0",
              "status": "affected",
              "version": "3.20",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ahacker1"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program.\u003cbr\u003e"
            }
          ],
          "value": "An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the owner_id parameter in the request body. Authorization was verified against the repository in the URL, but the action was applied to a different repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers; it does not allow adding arbitrary external users. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4 and 3.20.1. This vulnerability was reported via the GitHub Bug Bounty program."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-58",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-58 Restful Privilege Elevation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T22:23:25.045Z",
        "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "shortName": "GitHub_P"
      },
      "references": [
        {
          "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.25"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.20"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.16"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.13"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.7"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.4"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
    "assignerShortName": "GitHub_P",
    "cveId": "CVE-2026-3307",
    "datePublished": "2026-04-21T22:23:25.045Z",
    "dateReserved": "2026-02-26T21:00:43.352Z",
    "dateUpdated": "2026-04-22T18:00:21.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3306 (GCVE-0-2026-3306)

Vulnerability from cvelistv5 – Published: 2026-03-10 17:46 – Updated: 2026-03-11 14:17
VLAI
Title
Improper authorization in GitHub Projects allows modification of issue and pull request metadata without repository write access
Summary
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitHub Enterprise Server Affected: 3.14.0 , ≤ 3.14.23 (semver)
Affected: 3.15.0 , ≤ 3.15.18 (semver)
Affected: 3.16.0 , ≤ 3.16.14 (semver)
Affected: 3.17.0 , ≤ 3.17.11 (semver)
Affected: 3.18.0 , ≤ 3.18.5 (semver)
Affected: 3.19.0 , ≤ 3.19.2 (semver)
Create a notification for this product.
Credits
ahacker1
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3306",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T14:17:15.509272Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T14:17:24.504Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Enterprise Server",
          "vendor": "GitHub",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.14.24",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.14.23",
              "status": "affected",
              "version": "3.14.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.15.19",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.15.18",
              "status": "affected",
              "version": "3.15.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.16.15",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.16.14",
              "status": "affected",
              "version": "3.16.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.17.12",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.17.11",
              "status": "affected",
              "version": "3.17.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.18.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.18.5",
              "status": "affected",
              "version": "3.18.0",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "3.19.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.19.2",
              "status": "affected",
              "version": "3.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ahacker1"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor\u0027s repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.\u003cbr\u003e"
            }
          ],
          "value": "An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor\u0027s repository write permissions. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T17:46:57.090Z",
        "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "shortName": "GitHub_P"
      },
      "references": [
        {
          "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"
        },
        {
          "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Improper authorization in GitHub Projects allows modification of issue and pull request metadata without repository write access",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
    "assignerShortName": "GitHub_P",
    "cveId": "CVE-2026-3306",
    "datePublished": "2026-03-10T17:46:57.090Z",
    "dateReserved": "2026-02-26T21:00:40.345Z",
    "dateUpdated": "2026-03-11T14:17:24.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3185 (GCVE-0-2026-3185)

Vulnerability from cvelistv5 – Published: 2026-02-25 13:32 – Updated: 2026-02-25 14:38 X_Open Source
VLAI
Title
feiyuchuixue sz-boot-parent API Endpoint sys-message authorization
Summary
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
feiyuchuixue sz-boot-parent Affected: 1.3.2-beta
Unaffected: 1.3.3-beta
Create a notification for this product.
Credits
yuccun (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3185",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T14:36:08.327658Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T14:38:26.797Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "API Endpoint"
          ],
          "product": "sz-boot-parent",
          "vendor": "feiyuchuixue",
          "versions": [
            {
              "status": "affected",
              "version": "1.3.2-beta"
            },
            {
              "status": "unaffected",
              "version": "1.3.3-beta"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "yuccun (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: \"We have implemented message ownership verification, so that users can only query messages related to themselves.\""
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T13:32:09.902Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-347743 | feiyuchuixue sz-boot-parent API Endpoint sys-message authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.347743"
        },
        {
          "name": "VDB-347743 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.347743"
        },
        {
          "name": "Submit #754036 | feiyuchuixue https://github.com/feiyuchuixue/sz-boot-parent sz-boot-parent \u003c= v1.3.2-beta IDOR",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.754036"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/yuccun/CVE/blob/main/sz-boot-parent-IDOR_Message_ID_Enumeration.md"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/feiyuchuixue/sz-boot-parent/"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-25T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-25T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-25T09:37:22.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "feiyuchuixue sz-boot-parent API Endpoint sys-message authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3185",
    "datePublished": "2026-02-25T13:32:09.902Z",
    "dateReserved": "2026-02-25T08:32:01.795Z",
    "dateUpdated": "2026-02-25T14:38:26.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3173 (GCVE-0-2026-3173)

Vulnerability from cvelistv5 – Published: 2026-05-28 05:30 – Updated: 2026-05-28 10:36
VLAI
Title
Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure
Summary
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Osvaldo Noe Gonzalez Del Rio
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3173",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T10:25:42.127926Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T10:36:49.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Meta Field Block \u2013 Display custom fields in the Block Editor without coding",
          "vendor": "mr2p",
          "versions": [
            {
              "lessThanOrEqual": "1.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Osvaldo Noe Gonzalez Del Rio"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object\u0027s metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T05:30:39.772Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/247df9e2-0a63-49ad-86fa-cb4c6e62c4cf?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L206"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/display-a-meta-field-as-block/trunk/meta-field-block.php#L328"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3472303/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-25T00:27:43.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-27T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Meta Field Block \u003c= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3173",
    "datePublished": "2026-05-28T05:30:39.772Z",
    "dateReserved": "2026-02-24T23:12:47.134Z",
    "dateUpdated": "2026-05-28T10:36:49.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3139 (GCVE-0-2026-3139)

Vulnerability from cvelistv5 – Published: 2026-03-31 11:18 – Updated: 2026-04-08 17:01
VLAI
Title
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field
Summary
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Credits
M Indra Purnama
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3139",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T15:39:36.557641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T15:40:10.227Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles \u0026 User Role Editor",
          "vendor": "cozmoslabs",
          "versions": [
            {
              "lessThanOrEqual": "3.15.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "M Indra Purnama"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles \u0026 User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing \u0027post_author\u0027."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:01:27.016Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/760f7736-db49-4210-a2f3-3abb506106d7?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3481772/profile-builder"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-24T17:57:47.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-30T21:39:25.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles \u0026 User Role Editor \u003c= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3139",
    "datePublished": "2026-03-31T11:18:56.130Z",
    "dateReserved": "2026-02-24T17:41:54.927Z",
    "dateUpdated": "2026-04-08T17:01:27.016Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3124 (GCVE-0-2026-3124)

Vulnerability from cvelistv5 – Published: 2026-03-30 01:24 – Updated: 2026-04-08 16:49
VLAI
Title
Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'
Summary
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
wpchill Download Monitor Affected: 0 , ≤ 5.1.7 (semver)
Create a notification for this product.
Credits
Hung Nguyen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3124",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-30T14:55:44.775010Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-30T14:56:17.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Download Monitor",
          "vendor": "wpchill",
          "versions": [
            {
              "lessThanOrEqual": "5.1.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hung Nguyen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:49:33.008Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45527d6c-6866-44e6-85c2-5be984afbbc9?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3470119/download-monitor"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-24T14:57:52.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-29T12:42:40.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Download Monitor \u003c= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via \u0027token\u0027 and \u0027order_id\u0027"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3124",
    "datePublished": "2026-03-30T01:24:44.783Z",
    "dateReserved": "2026-02-24T14:05:44.981Z",
    "dateUpdated": "2026-04-08T16:49:33.008Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3074 (GCVE-0-2026-3074)

Vulnerability from cvelistv5 – Published: 2026-05-14 05:36 – Updated: 2026-05-14 13:08
VLAI
Title
Authorization Bypass Through User-Controlled Key in GitLab
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 16.7 , < 18.9.7 (semver)
Affected: 18.10 , < 18.10.6 (semver)
Affected: 18.11 , < 18.11.3 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Thanks [sndd](https://hackerone.com/sndd) for reporting this vulnerability through our HackerOne bug bounty program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3074",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T13:08:20.301724Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T13:08:28.045Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "18.9.7",
              "status": "affected",
              "version": "16.7",
              "versionType": "semver"
            },
            {
              "lessThan": "18.10.6",
              "status": "affected",
              "version": "18.10",
              "versionType": "semver"
            },
            {
              "lessThan": "18.11.3",
              "status": "affected",
              "version": "18.11",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanks [sndd](https://hackerone.com/sndd) for reporting this vulnerability through our HackerOne bug bounty program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T05:36:02.934Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "HackerOne Bug Bounty Report #3556163",
          "tags": [
            "technical-description",
            "exploit",
            "permissions-required"
          ],
          "url": "https://hackerone.com/reports/3556163"
        },
        {
          "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591229"
        },
        {
          "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above."
        }
      ],
      "title": "Authorization Bypass Through User-Controlled Key in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2026-3074",
    "datePublished": "2026-05-14T05:36:02.934Z",
    "dateReserved": "2026-02-23T20:33:37.526Z",
    "dateUpdated": "2026-05-14T13:08:28.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.