VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 12 of 30
  • CVE-2025-68027HigJan 22, 2026
    risk 0.47cvss 7.3epss 0.00

    Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through <= 1.1.32.

  • CVE-2025-55707HigDec 18, 2025
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in WPXPO PostX ultimate-post allows Privilege Escalation.This issue affects PostX: from n/a through <= 4.1.35.

  • CVE-2025-49379HigDec 18, 2025
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a…

  • CVE-2025-13808HigDec 1, 2025
    risk 0.47cvss 7.3epss 0.00

    A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile…

  • CVE-2025-13806HigDec 1, 2025
    risk 0.47cvss 7.3epss 0.00

    A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction…

  • CVE-2025-49924HigOct 22, 2025
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.

  • CVE-2025-11030HigSep 26, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60. Impacted is an unknown function of the file /admin/all-applied-leave.php of the component HTTP Request Handler. The manipulation results in improper…

  • CVE-2025-10374HigSep 13, 2025
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been…

  • CVE-2025-54697HigAug 14, 2025
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in StellarWP Kadence WooCommerce Email Designer kadence-woocommerce-email-designer allows Privilege Escalation.This issue affects Kadence WooCommerce Email Designer: from n/a through <= 1.5.16.

  • CVE-2025-53744HigAug 12, 2025
    risk 0.47cvss 7.2epss 0.01

    An incorrect privilege assignment vulnerability [CWE-266] in FortiOS Security Fabric version 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.0 all versions, 6.4 all versions, may allow a remote authenticated attacker with high privileges to escalate their…

  • CVE-2025-8261HigJul 28, 2025
    risk 0.47cvss 7.3epss 0.01

    A weakness has been identified in Vaelsys VaelsysV4 4.1.0. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component User Creation Handler. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The…

  • CVE-2025-7576HigJul 14, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16 and classified as critical. Affected by this issue is some unknown functionality of the file /priv/production/production.html of the component Production Tools. The manipulation leads to…

  • CVE-2025-5522HigJun 3, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in jack0240 魏 bskms 蓝天幼儿园管理系统 up to dffe6640b5b54d8e29da6f060e0493fea74b3fad. It has been rated as critical. Affected by this issue is some unknown functionality of the file /sa/addUser of the component User Creation Handler. The…

  • CVE-2025-39459HigMay 19, 2025
    risk 0.47cvss 7.3epss 0.00

    Incorrect Privilege Assignment vulnerability in contempoinc Real Estate 7 realestate-7 allows Privilege Escalation.This issue affects Real Estate 7: from n/a through <= 3.5.2.

  • CVE-2025-31560HigApr 1, 2025
    risk 0.47cvss 7.2epss 0.00

    Incorrect Privilege Assignment vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Privilege Escalation.This issue affects Salon booking system: from n/a through < 10.15.

  • CVE-2025-1815HigMar 2, 2025
    risk 0.47cvss 7.3epss 0.01

    A vulnerability, which was classified as critical, was found in pbrong hrms up to 1.0.1. This affects the function HrmsDB of the file \resource\resource.go. The manipulation of the argument user_cookie leads to improper authorization. It is possible to initiate the attack…

  • CVE-2024-12782HigDec 19, 2024
    risk 0.47cvss 7.3epss 0.01

    A vulnerability has been found in Fujifilm Business Innovation Apeos C3070, Apeos C5570 and Apeos C6580 up to 24.8.28 and classified as critical. This vulnerability affects unknown code of the file /home/index.html#hashHome of the component Web Interface. The manipulation leads…

  • CVE-2024-4870HigJun 4, 2024
    risk 0.47cvss 7.2epss 0.00

    The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access…

  • CVE-2018-1101HigMay 2, 2018
    risk 0.47cvss 7.2epss 0.02

    Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing…

  • CVE-2026-35645HigApr 9, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to…