Skip to main content

Ontime

2 CVEs product

Monthly

CVE-2026-5799 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-5730 HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).

Authentication Bypass Ontime
NVD
CVSS 3.1
7.5
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided.

Authentication Bypass Ontime
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote unauthenticated attackers read confidential records belonging to other users by tampering with user-controlled resource identifiers. Because the application trusts client-supplied keys without verifying ownership, an attacker can enumerate or substitute IDs to exfiltrate data they should not access. There is no public exploit identified at time of analysis, but the flaw is trivial to exercise (AV:N/AC:L/PR:N) and was flagged by Turkey's national CERT (TR-CERT).

Authentication Bypass Ontime
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy