VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 23 of 30
  • CVE-2026-7602MedMay 2, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be…

  • CVE-2026-7142MedApr 27, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack…

  • CVE-2026-7109MedApr 27, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit…

  • CVE-2026-24749MedApr 16, 2026
    risk 0.34cvss 5.3epss 0.00

    The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the…

  • CVE-2026-5999MedApr 10, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be…

  • CVE-2026-5312MedApr 1, 2026
    risk 0.34cvss 5.3epss 0.01

    A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this…

  • CVE-2026-5311MedApr 1, 2026
    risk 0.34cvss 5.3epss 0.01

    A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is…

  • CVE-2026-4514MedMar 21, 2026
    risk 0.34cvss 6.3epss 0.00

    A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The…

  • CVE-2026-3796MedMar 9, 2026
    risk 0.34cvss 5.3epss 0.00

    A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The attack…

  • CVE-2026-3675MedMar 7, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was determined in Freedom Factory dGEN1 up to 20260221. Affected by this issue is the function FakeAppReceiver of the component org.ethosmobile.ethoslauncher. Executing a manipulation can lead to improper authorization. The attack needs to be launched locally.…

  • CVE-2026-3674MedMar 7, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in Freedom Factory dGEN1 up to 20260221. Affected by this vulnerability is the function FakeAppProvider of the component org.ethosmobile.ethoslauncher. Performing a manipulation results in improper authorization. The attack must be initiated from a…

  • CVE-2026-3670MedMar 7, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a manipulation results in improper authorization. The attack requires a local approach. The exploit is now public and may be used.…

  • CVE-2026-3669MedMar 7, 2026
    risk 0.34cvss 5.3epss 0.00

    A security vulnerability has been detected in Freedom Factory dGEN1 up to 20260221. This impacts the function AlarmService of the component com.dgen.alarm. Such manipulation leads to improper authorization. The attack needs to be performed locally. The exploit has been disclosed…

  • CVE-2026-3667MedMar 7, 2026
    risk 0.34cvss 5.3epss 0.00

    A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation results in improper authorization. The attack must be initiated from a local…

  • CVE-2025-15597MedMar 2, 2026
    risk 0.34cvss 6.3epss 0.01

    A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The…

  • CVE-2025-10992MedSep 26, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit…

  • CVE-2025-50691MedAug 22, 2025
    risk 0.34cvss 5.3epss 0.00

    MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can read the daemon's key and use it to log in, leading to…

  • CVE-2025-6099MedJun 16, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. It has been declared as critical. This vulnerability affects unknown code of the file gin-blog-server/internal/manager.go of the component PATCH Request Handler. The manipulation…

  • CVE-2025-1078MedFeb 6, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been found in AppHouseKitchen AlDente Charge Limiter up to 1.29 on macOS and classified as critical. This vulnerability affects the function shouldAcceptNewConnection of the file com.apphousekitchen.aldente-pro.helper of the component XPC Service. The…

  • CVE-2024-11306MedNov 18, 2024
    risk 0.34cvss 5.3epss 0.01

    A vulnerability, which was classified as critical, has been found in Altenergy Power Control Software up to 20241108. This issue affects some unknown processing of the file /index.php/display/database/. The manipulation leads to improper authorization. The attack may be…