A01 - Broken Access Control 38

• Local File Inclusion via Template Router | CostThis Jun 9, 2026
• IDOR in Password Reset API Leads to Administrator Account Takeover | TheForms Jun 8, 2026
• Password Change IDOR Leads to Administrator Account Takeover | Noted Jun 7, 2026
• Multi-Step Access Control Bypass Leads to Administrative Compromise | Tamper Temple Jun 6, 2026
• Local File Inclusion via Language Cookie Leads to Arbitrary File Read | Flagged Jun 4, 2026
• GraphQL Role Parameter Abuse Leads to Restricted Medical Note Disclosure | Clearance Jun 3, 2026
• Authentication Bypass – Direct Dashboard Access | Pivot HR Jun 3, 2026
• IDOR – Unauthorized Grant Approval via Workflow Manipulation | Briarcliff Foundation Jun 1, 2026
• Privilege Escalation – Unsigned Session Token Tampering | Spindrift Workspace May 29, 2026
• Privilege Escalation – Client-Side Role Cookie Tampering | Session Swap May 29, 2026
• Privilege Escalation – JWT None Algorithm Abuse | Stargate Atlas May 29, 2026
• Mass Assignment – Role Escalation | Salt Brook Pilates May 27, 2026
• IDOR – Account Export Data Disclosure | Remittance May 26, 2026
• SSRF – Internal Service Discovery Through Monitor Preview Feature | Statuscraft May 23, 2026
• X-Forwarded-For Spoofing – Internal Staff Portal Access Control Bypass | Brackish Brewing Co. May 22, 2026
• SSRF Blocklist Bypass – Internal File Disclosure via Localhost Filtering Evasion | CutCorner May 22, 2026
• Missing Access Control – Unrestricted Staff Portal Exposure | Coltsfoot Community Center May 21, 2026
• Information Disclosure – Sensitive Debug Header Leakage via Response Metadata | Header Hunt May 19, 2026
• Workflow Access Control Bypass – Admin Privilege Escalation | Lazy Human Resources May 18, 2026
• IDOR via WebSocket Subscription – Cross-Order Data Exposure | JoyStick May 16, 2026
• GraphQL BOLA via Introspection & Insecure Resolver Access | Slate Quarry May 15, 2026
• Mass Assignment Leading to Admin Account Creation | Trellis May 14, 2026
• IDOR via Sequential Order IDs | Cheesy Does It May 11, 2026
• IDOR in Order Access – Unauthorized Order Data Exposure | Hartwood May 11, 2026
• GraphQL Introspection and Sensitive Data Exposure | Ottergram May 9, 2026
• UUID-Based IDOR Through Member API | Apex May 9, 2026
• XML External Entity (XXE) via Deck Import Feature | Tanuki May 6, 2026
• Path Traversal – Arbitrary File Read via Image Endpoint | Ottergram May 2, 2026
• IDOR – Unauthorized Access to Borrower Records | Overdue May 1, 2026
• Broken Access Control – Admin Access Token Brute Force Leads to Unauthorized Admin Access | Gift List Apr 30, 2026
• Broken Access Control – Role Manipulation via User Registration | Tanuki Apr 28, 2026
• IDOR – Unauthorized Access to Shared Notes via Base64 ID Manipulation | BugForge Apr 24, 2026
• Broken Access Control – Unauthorized Stats Modification via HTTP Method Manipulation | BugForge Apr 23, 2026
• IDOR – Password Disclosure via Insecure Direct Object Reference | User ID Controlled by Request Parameter Mar 29, 2026
• IDOR – Unauthorized Access via Predictable Identifier Manipulation | User ID Controlled by Request Parameter Mar 29, 2026
• Broken Access Control – Privilege Escalation via Client-Controlled Cookie | Privilege Escalation via Client-Controlled Cookie Mar 28, 2026
• Broken Access Control – Unprotected Admin Panel via Unpredictable URL Leading to Privilege Escalation | Unprotected Admin Panel Mar 28, 2026
• Broken Access Control – Unprotected Admin Functionality Leading to Privilege Escalation | Unprotected Admin Functionality Mar 28, 2026