Skip to main content

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

54 CVEs Avg CVSS 5.4 MITRE
5
CRITICAL
12
HIGH
19
MEDIUM
18
LOW
29
POC
0
KEV

Monthly

CVE-2026-15186 LOW Monitor

Resource identifier manipulation in macrozheng mall up to 1.0.3 allows authenticated remote attackers to access or affect return-application records belonging to other users by substituting arbitrary orderId values in POST requests to /returnApply/create. The flaw is classified as CWE-99 (Improper Control of Resource Identifiers), consistent with an Insecure Direct Object Reference (IDOR) pattern in the Portal Endpoint. A public exploit is available, and the vendor deleted the corresponding GitHub issue without comment, raising concerns about coordinated disclosure and patch status.

Information Disclosure Mall
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-13493 LOW POC PATCH Monitor

Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.

Information Disclosure Checkpoint Comfyui Copilot
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-12207 LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-10624 LOW POC Monitor

Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10299 LOW POC Monitor

Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-10168 LOW POC Monitor

Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.

Information Disclosure PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-9438 LOW POC Monitor

Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.

PHP Information Disclosure Studentmanagementsystem
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-33603 MEDIUM PATCH This Month

Man-in-the-middle attackers positioned between OX Dovecot Pro and clients can forge SCRAM TLS channel binding via specially crafted base64 exchanges, allowing eavesdropping on encrypted communications. The attack requires network-level access and knowledge of channel binding mechanics but yields complete confidentiality compromise. No public exploit code is known, and patched versions are available from Open-Xchange.

Microsoft Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-7303 Maven LOW PATCH Monitor

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Information Disclosure Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-5414 MEDIUM POC This Month

Improper control of resource identifiers in Newgen OmniDocs up to version 12.0.00 allows unauthenticated remote attackers to access sensitive information via manipulation of the DocumentId parameter in the /omnidocs/WebApiRequestRedirection endpoint. The vulnerability has publicly available exploit code and a low CVSS score (5.5) reflecting confidentiality impact only, but the combination of network-based attack vector, no authentication requirement, and public exploit availability warrants immediate assessment. The vendor has not responded to disclosure attempts.

Information Disclosure Omnidocs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW Monitor

Resource identifier manipulation in macrozheng mall up to 1.0.3 allows authenticated remote attackers to access or affect return-application records belonging to other users by substituting arbitrary orderId values in POST requests to /returnApply/create. The flaw is classified as CWE-99 (Improper Control of Resource Identifiers), consistent with an Insecure Direct Object Reference (IDOR) pattern in the Portal Endpoint. A public exploit is available, and the vendor deleted the corresponding GitHub issue without comment, raising concerns about coordinated disclosure and patch status.

Information Disclosure Mall
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.

Information Disclosure Checkpoint Comfyui Copilot
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.

Information Disclosure PHP
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Insecure Direct Object Reference (IDOR) in code-projects Online Hospital Management System 1.0 allows a high-privileged remote attacker to manipulate the `delid` parameter in `viewdoctortimings.php`, resulting in unauthorized modification or deletion of doctor timing records beyond the attacker's intended access scope. The CVSS 4.0 score of 2.0 reflects the high privilege prerequisite (PR:H), low integrity impact (VI:L), and low availability impact (VA:L) to the vulnerable component. No public exploit identified at time of analysis as active exploitation - however, publicly available exploit code exists, documented in a GitHub proof-of-concept writeup.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.

Information Disclosure PHP
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.

PHP Information Disclosure Studentmanagementsystem
NVD VulDB GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Man-in-the-middle attackers positioned between OX Dovecot Pro and clients can forge SCRAM TLS channel binding via specially crafted base64 exchanges, allowing eavesdropping on encrypted communications. The attack requires network-level access and knowledge of channel binding mechanics but yields complete confidentiality compromise. No public exploit code is known, and patched versions are available from Open-Xchange.

Microsoft Information Disclosure Red Hat +1
NVD VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Information Disclosure Java
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper control of resource identifiers in Newgen OmniDocs up to version 12.0.00 allows unauthenticated remote attackers to access sensitive information via manipulation of the DocumentId parameter in the /omnidocs/WebApiRequestRedirection endpoint. The vulnerability has publicly available exploit code and a low CVSS score (5.5) reflecting confidentiality impact only, but the combination of network-based attack vector, no authentication requirement, and public exploit availability warrants immediate assessment. The vendor has not responded to disclosure attempts.

Information Disclosure Omnidocs
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy