Tag: bola

All the articles with the tag "bola".

• Broken Object Level Authorization: Accessing Private Wishlists

  kOaDT

  31 Jan, 2026

  A BOLA vulnerability in OopsSec Store's wishlist API lets any logged-in user read anyone else's private wishlist, including an admin one that contains the flag.