CWE-266
Incorrect Privilege Assignment
BaseDraft
Description
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
CVEs mapped to this weakness (452)
page 1 of 23| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-28000 | Cri | 0.74 | 9.8 | 0.92 | Aug 21, 2024 | Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1. | |
| CVE-2025-34112 | Cri | 0.73 | — | 0.69 | Jul 15, 2025 | An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance. | |
| CVE-2025-27007 | Cri | 0.73 | 9.8 | 0.81 | May 1, 2025 | Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82. | |
| CVE-2024-24882 | Cri | 0.68 | 9.8 | 0.48 | May 17, 2024 | Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.2. | |
| CVE-2024-54363 | Cri | 0.67 | 9.8 | 0.38 | Dec 16, 2024 | Incorrect Privilege Assignment vulnerability in saiful.total Wp NssUser Register wp-nssuser-register allows Privilege Escalation.This issue affects Wp NssUser Register: from n/a through <= 1.0.0. | |
| CVE-2025-47539 | Cri | 0.66 | 9.8 | 0.28 | May 23, 2025 | Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26. | |
| CVE-2026-23800 | Cri | 0.65 | 10.0 | 0.00 | Jan 16, 2026 | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | |
| CVE-2024-9479 | Cri | 0.65 | — | 0.00 | Nov 20, 2024 | Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.This issue affects upKeeper Instant Privilege Access: before 1.2. | |
| CVE-2024-9478 | Cri | 0.65 | — | 0.00 | Nov 20, 2024 | Improper Privilege Management vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Privilege Escalation.This issue affects upKeeper Instant Privilege Access: before 1.2. | |
| CVE-2024-50485 | Cri | 0.65 | 9.8 | 0.22 | Oct 29, 2024 | Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix exam-matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through <= 1.5. | |
| CVE-2026-42368 | Cri | 0.64 | 9.9 | 0.00 | May 4, 2026 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | |
| CVE-2026-22337 | Cri | 0.64 | 9.8 | 0.00 | Apr 27, 2026 | Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4. | |
| CVE-2026-33519 | Cri | 0.64 | 9.8 | 0.00 | Apr 21, 2026 | An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. | |
| CVE-2026-33518 | Cri | 0.64 | 9.8 | 0.00 | Apr 21, 2026 | An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected. | |
| CVE-2026-32922 | Cri | 0.64 | 9.9 | 0.00 | Mar 29, 2026 | OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access. | |
| CVE-2026-32520 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4. | |
| CVE-2026-27051 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in uxper Golo golo allows Privilege Escalation.This issue affects Golo: from n/a through <= 1.7.0. | |
| CVE-2026-24971 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in Elated-Themes Search & Go searchgo allows Privilege Escalation.This issue affects Search & Go: from n/a through <= 2.8. | |
| CVE-2026-24968 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30. | |
| CVE-2026-27542 | Cri | 0.64 | 9.8 | 0.00 | Mar 19, 2026 | Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1. |