CWE-266
Incorrect Privilege Assignment
Description
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
CVEs mapped to this weakness (593)
page 10 of 30| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31420 | Hig | 0.49 | 7.6 | 0.00 | Apr 4, 2025 | Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2. | ||
| CVE-2025-24648 | Hig | 0.49 | 7.5 | 0.00 | Feb 4, 2025 | Incorrect Privilege Assignment vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Privilege Escalation.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.1. | ||
| CVE-2024-43333 | Hig | 0.49 | 7.5 | 0.00 | Feb 3, 2025 | Incorrect Privilege Assignment vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.2.1. | ||
| CVE-2020-25720 | Hig | 0.49 | 7.5 | 0.00 | Nov 17, 2024 | A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because… | ||
| CVE-2024-46511 | Hig | 0.49 | 7.5 | 0.00 | Sep 30, 2024 | LoadZilla LLC LoadLogic v1.4.3 was discovered to contain insecure permissions vulnerability which allows a remote attacker to execute arbitrary code via the LogicLoadEc2DeployLambda and CredsGenFunction function. | ||
| CVE-2023-1874 | Hig | 0.49 | 7.5 | 0.03 | Apr 12, 2023 | The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal… | ||
| CVE-2025-26523 | — | Hig | 0.48 | — | 0.00 | Feb 14, 2025 | This vulnerability exists in RupeeWeb trading platform due to insufficient authorization controls on certain API endpoints handling addition and deletion operations. Successful exploitation of this vulnerability could allow an authenticated remote attacker to modify information… | |
| CVE-2026-49063 | Hig | 0.47 | 7.3 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions. | ||
| CVE-2026-39470 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | ||
| CVE-2026-27407 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | ||
| CVE-2026-53814 | Hig | 0.47 | 8.3 | 0.00 | Jun 11, 2026 | OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause… | ||
| CVE-2026-10236 | Hig | 0.47 | 7.3 | 0.00 | Jun 1, 2026 | A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be… | ||
| CVE-2026-9795 | Hig | 0.47 | 7.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses… | ||
| CVE-2026-9562 | Hig | 0.47 | 7.3 | 0.00 | May 26, 2026 | A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely.… | ||
| CVE-2026-9517 | Hig | 0.47 | 7.3 | 0.00 | May 26, 2026 | A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access… | ||
| CVE-2026-22315 | Hig | 0.47 | 7.2 | 0.00 | May 20, 2026 | Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020… | ||
| CVE-2026-22069 | Hig | 0.47 | 7.3 | 0.00 | May 19, 2026 | A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface. | ||
| CVE-2026-7644 | Hig | 0.47 | 7.3 | 0.00 | May 2, 2026 | A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the… | ||
| CVE-2026-7468 | Hig | 0.47 | 7.3 | 0.00 | Apr 30, 2026 | A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely.… | ||
| CVE-2026-6977 | Hig | 0.47 | 7.3 | 0.00 | Apr 25, 2026 | A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been… |
- risk 0.49cvss 7.6epss 0.00
Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2.
- risk 0.49cvss 7.5epss 0.00
Incorrect Privilege Assignment vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Privilege Escalation.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.1.
- risk 0.49cvss 7.5epss 0.00
Incorrect Privilege Assignment vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.2.1.
- risk 0.49cvss 7.5epss 0.00
A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because…
- risk 0.49cvss 7.5epss 0.00
LoadZilla LLC LoadLogic v1.4.3 was discovered to contain insecure permissions vulnerability which allows a remote attacker to execute arbitrary code via the LogicLoadEc2DeployLambda and CredsGenFunction function.
- risk 0.49cvss 7.5epss 0.03
The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal…
- risk 0.48cvss —epss 0.00
This vulnerability exists in RupeeWeb trading platform due to insufficient authorization controls on certain API endpoints handling addition and deletion operations. Successful exploitation of this vulnerability could allow an authenticated remote attacker to modify information…
- risk 0.47cvss 7.3epss 0.00
Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.
- risk 0.47cvss 7.2epss 0.00
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
- risk 0.47cvss 8.3epss 0.00
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be…
- risk 0.47cvss 7.3epss 0.00
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely.…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access…
- risk 0.47cvss 7.2epss 0.00
Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020…
- risk 0.47cvss 7.3epss 0.00
A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the…
- risk 0.47cvss 7.3epss 0.00
A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely.…
- risk 0.47cvss 7.3epss 0.00
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been…