VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 20 of 30
  • CVE-2025-5417MedAug 19, 2025
    risk 0.40cvss 6.1epss 0.00

    An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the…

  • CVE-2025-29036MedApr 1, 2025
    risk 0.38cvss 5.9epss 0.00

    An issue in hackathon-starter v.8.1.0 allows a remote attacker to escalate privileges via the user.js component.

  • CVE-2026-43535MedMay 5, 2026
    risk 0.37cvss 6.8epss 0.00

    OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain…

  • CVE-2026-7292MedApr 28, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather…

  • CVE-2026-6572MedApr 19, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file /app/controller/share.class.php of the component fileUpload Endpoint. The manipulation of the argument fileUpload leads to improper…

  • CVE-2025-58841MedSep 5, 2025
    risk 0.36cvss 5.5epss 0.00

    Incorrect Privilege Assignment vulnerability in John Luetke Media Author media-author allows Privilege Escalation.This issue affects Media Author: from n/a through <= 1.0.4.

  • CVE-2025-2557MedMar 20, 2025
    risk 0.36cvss 5.5epss 0.00

    A vulnerability, which was classified as critical, has been found in Audi UTR Dashcam 2.0. Affected by this issue is some unknown functionality of the component Command API. The manipulation leads to improper access controls. The attack needs to be done within the local network.…

  • CVE-2026-11533MedJun 8, 2026
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the…

  • CVE-2026-10285MedJun 1, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper…

  • CVE-2026-10284MedJun 1, 2026
    risk 0.35cvss 5.4epss 0.00

    A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a…

  • CVE-2026-10218MedJun 1, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the…

  • CVE-2026-43568MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming…

  • CVE-2026-42433MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration…

  • CVE-2026-7631MedMay 2, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorization. The attack can be executed remotely.…

  • CVE-2026-6201MedApr 13, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be…

  • CVE-2026-3121MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other…

  • CVE-2026-3761MedMar 8, 2026
    risk 0.35cvss 5.4epss 0.00

    A flaw has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /superadmin_user_delete.php of the component Endpoint. Executing a manipulation of the argument user_id can lead to improper authorization. The…

  • CVE-2026-3268MedFeb 26, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the component Session Attribute Handler. Performing a…

  • CVE-2026-2849MedFeb 20, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the…

  • CVE-2026-2109MedFeb 7, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The…