VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 10 of 30
  • CVE-2025-31420HigApr 4, 2025
    risk 0.49cvss 7.6epss 0.00

    Incorrect Privilege Assignment vulnerability in Tomdever wpForo Forum wpforo allows Privilege Escalation.This issue affects wpForo Forum: from n/a through <= 2.4.2.

  • CVE-2025-24648HigFeb 4, 2025
    risk 0.49cvss 7.5epss 0.00

    Incorrect Privilege Assignment vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Privilege Escalation.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 7.6.2.1.

  • CVE-2024-43333HigFeb 3, 2025
    risk 0.49cvss 7.5epss 0.00

    Incorrect Privilege Assignment vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.2.1.

  • CVE-2020-25720HigNov 17, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because…

  • CVE-2024-46511HigSep 30, 2024
    risk 0.49cvss 7.5epss 0.00

    LoadZilla LLC LoadLogic v1.4.3 was discovered to contain insecure permissions vulnerability which allows a remote attacker to execute arbitrary code via the LogicLoadEc2DeployLambda and CredsGenFunction function.

  • CVE-2023-1874HigApr 12, 2023
    risk 0.49cvss 7.5epss 0.03

    The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal…

  • CVE-2025-26523HigFeb 14, 2025
    risk 0.48cvss epss 0.00

    This vulnerability exists in RupeeWeb trading platform due to insufficient authorization controls on certain API endpoints handling addition and deletion operations. Successful exploitation of this vulnerability could allow an authenticated remote attacker to modify information…

  • CVE-2026-49063HigJun 15, 2026
    risk 0.47cvss 7.3epss 0.00

    Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.

  • CVE-2026-39470HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.

  • CVE-2026-27407HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Editor Privilege Escalation in AI Engine <= 3.4.9 versions.

  • CVE-2026-53814HigJun 11, 2026
    risk 0.47cvss 8.3epss 0.00

    OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause…

  • CVE-2026-10236HigJun 1, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be…

  • CVE-2026-9795HigMay 28, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…

  • CVE-2026-9562HigMay 26, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely.…

  • CVE-2026-9517HigMay 26, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access…

  • CVE-2026-22315HigMay 20, 2026
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export  of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020…

  • CVE-2026-22069HigMay 19, 2026
    risk 0.47cvss 7.3epss 0.00

    A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.

  • CVE-2026-7644HigMay 2, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the…

  • CVE-2026-7468HigApr 30, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely.…

  • CVE-2026-6977HigApr 25, 2026
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been…