b4r
blog cve me tags achievements
  1. Tags
  2. idor
  • cross-family access in churchcrm

    cve-2026-58410 let low-privileged churchcrm users with editself access read and modify other families records by changing the familyId in API routes

    b b4r
    July 3, 2026
    3 min read
    vulnerability cve web exploitation idor
  • an idor in xibo notification export

    cve-2026-50539 let any authenticated xibo cms user download arbitrary notification attachments through missing object-level authorization on notification export

    b b4r
    June 22, 2026
    2 min read
    vulnerability cve web exploitation idor
  • an idor in winter fileupload

    cve-2026-54256 let any authenticated backend user in wintercms target unrelated attachment records through the backend fileupload widget

    b b4r
    June 21, 2026
    3 min read
    vulnerability cve web exploitation idor
  • a public link bug in invoiceshelf

    cve-2026-55383 let public customer document tokens cross company boundaries in invoiceshelf through emaillog type confusion and missing expiry checks

    b b4r
    June 17, 2026
    3 min read
    vulnerability cve web exploitation idor
  • an idor in openproject through meeting agenda items

    cve-2026-49355 exposed private work package data through the single meeting agenda item api in openproject

    b b4r
    June 8, 2026
    2 min read
    vulnerability cve web exploitation idor
  • cross-tenant credential disclosure in itflow

    cve-2026-47755 let a low-privileged authenticated user pull another client credentials and totp secrets in itflow

    b b4r
    May 25, 2026
    2 min read
    vulnerability cve web exploitation idor
© 2026 All rights reserved.