VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 21 of 30
  • CVE-2026-1112MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation…

  • CVE-2026-1106MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in…

  • CVE-2025-14889MedDec 18, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing a manipulation of the argument ID results in improper…

  • CVE-2025-14748MedDec 16, 2025
    risk 0.35cvss 5.4epss 0.01

    A vulnerability was determined in Ningyuanda TC155 57.0.2.0. This affects an unknown function of the file /onvif/device_service of the component ONVIF Device Management Service. Executing manipulation of the argument FactoryDefault with the input Hard can lead to improper access…

  • CVE-2025-14016MedDec 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has…

  • CVE-2025-0504MedNov 21, 2025
    risk 0.35cvss 5.4epss 0.00

    Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should…

  • CVE-2025-13443MedNov 20, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The…

  • CVE-2025-13117MedNov 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in macrozheng mall-swarm and mall up to 1.0.3. Affected by this vulnerability is the function cancelOrder of the file /order/cancelOrder. The manipulation of the argument orderId leads to improper authorization. The attack can be…

  • CVE-2025-13116MedNov 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in macrozheng mall-swarm and mall up to 1.0.3. Affected is the function cancelUserOrder of the file /order/cancelUserOrder. Executing manipulation of the argument orderId can lead to improper authorization. It is possible to launch the attack…

  • CVE-2025-10038MedOct 15, 2025
    risk 0.35cvss 6.5epss 0.00

    The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it…

  • CVE-2025-11272MedOct 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in SeriaWei ZKEACMS up to 4.3. This affects the function Delete of the file src/ZKEACMS.Redirection/Controllers/UrlRedirectionController.cs of the component POST Request Handler. The manipulation leads to improper authorization. Remote exploitation…

  • CVE-2025-10390MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The…

  • CVE-2025-10389MedSep 14, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization.…

  • CVE-2025-10384MedSep 13, 2025
    risk 0.35cvss 5.4epss 0.00

    A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper…

  • CVE-2025-10209MedSep 10, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. The exploit has been…

  • CVE-2025-9937MedSep 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and…

  • CVE-2025-8840MedAug 11, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The…

  • CVE-2025-7947MedJul 22, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack…

  • CVE-2025-7076MedJul 6, 2025
    risk 0.35cvss 5.4epss 0.01

    A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been rated as critical. Affected by this issue is some unknown functionality of the file /upload.cgi of the component Configuration Handler. The manipulation leads to improper access controls. The attack…

  • CVE-2025-4136MedApr 30, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has…