VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 14 of 30
  • CVE-2026-2669MedFeb 18, 2026
    risk 0.42cvss 6.5epss 0.01

    A vulnerability was determined in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. This impacts an unknown function of the file /dm/dispatch/user/delete of the component User Handler. This manipulation of the argument ID causes improper access…

  • CVE-2025-14206MedDec 8, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization.…

  • CVE-2025-56503MedNov 10, 2025
    risk 0.42cvss 6.5epss 0.00

    An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder. NOTE: this is disputed by the Supplier because…

  • CVE-2025-31513MedJul 22, 2025
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version…

  • CVE-2025-48695MedMay 23, 2025
    risk 0.42cvss 6.4epss 0.00

    An issue was discovered in CyberDAVA before 1.1.20. A privilege escalation vulnerability allows a low-privileged user to escalate their privilege by abusing the following API due to the lack of access control: /api/v2/users/user//role/ROLE/ (admin access…

  • CVE-2025-2686MedMar 24, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability has been found in mingyuefusu 明月复苏 tushuguanlixitong 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical. Affected by this vulnerability is the function doFilter of the file /admin/ of the component Backend. The…

  • CVE-2025-21092MedMar 5, 2025
    risk 0.42cvss 6.5epss 0.00

    GMOD Apollo does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others.

  • CVE-2024-9779HigDec 17, 2024
    risk 0.42cvss 7.5epss 0.00

    A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole…

  • CVE-2012-4549MedJan 5, 2013
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method…

  • CVE-2026-11532MedJun 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The…

  • CVE-2026-11521MedJun 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the…

  • CVE-2026-11519MedJun 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in…

  • CVE-2026-11476MedJun 8, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The…

  • CVE-2026-11336MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation…

  • CVE-2026-10876MedJun 5, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has…

  • CVE-2026-10693MedJun 3, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated…

  • CVE-2026-10217MedJun 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is…

  • CVE-2026-10152MedMay 30, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The manipulation results in improper access…

  • CVE-2026-9484MedMay 25, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to…

  • CVE-2026-9483MedMay 25, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has…