VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 24 of 30
  • CVE-2023-7270MedJun 27, 2024
    risk 0.34cvss 5.3epss 0.00

    An issue was discovered in SoftMaker Office 2024 / NX before revision 1214 and SoftMaker FreeOffice 2014 before revision 1215. FreeOffice 2021 is also affected, but won't be fixed. The SoftMaker Office and FreeOffice MSI installer files were found to produce a visible…

  • CVE-2025-12103MedOct 28, 2025
    risk 0.33cvss 5.0epss 0.00

    A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role`…

  • CVE-2025-11281MedOct 5, 2025
    risk 0.33cvss 5.0epss 0.00

    A vulnerability has been found in Frappe LMS 2.35.0. The affected element is an unknown function of the file /courses/ of the component Unpublished Course Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. This attack is…

  • CVE-2024-9476MedNov 13, 2024
    risk 0.33cvss epss 0.00

    A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulnerability will only affect users who…

  • CVE-2026-10070MedMay 29, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The…

  • CVE-2024-31760MedApr 16, 2024
    risk 0.31cvss 4.7epss 0.01

    An issue in sanluan flipped-aurora gin-vue-admin 2.4.x allows an attacker to escalate privileges via the Session Expiration component.

  • CVE-2026-8233MedMay 10, 2026
    risk 0.30cvss 4.6epss 0.00

    A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult.…

  • CVE-2025-4228MedJun 13, 2025
    risk 0.30cvss epss 0.00

    An incorrect privilege assignment vulnerability in Palo Alto Networks Cortex® XDR Broker VM allows an authenticated administrative user to execute certain files available within the Broker VM and escalate their privileges to root.

  • CVE-2025-14660MedDec 14, 2025
    risk 0.29cvss 5.6epss 0.00

    A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access…

  • CVE-2024-55542MedJan 2, 2025
    risk 0.29cvss 4.4epss 0.00

    Local privilege escalation due to excessive permissions assigned to Tray Monitor service. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35895.

  • CVE-2026-53847MedJun 16, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can…

  • CVE-2026-12213MedJun 15, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The…

  • CVE-2026-12212MedJun 15, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated…

  • CVE-2026-11554MedJun 8, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly…

  • CVE-2026-11494MedJun 8, 2026
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be initiated remotely. The exploit has been…

  • CVE-2026-11492MedJun 8, 2026
    risk 0.28cvss 4.3epss 0.01

    A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit…

  • CVE-2026-11466MedJun 7, 2026
    risk 0.28cvss 5.4epss 0.00

    A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the…

  • CVE-2026-10294MedJun 1, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The…

  • CVE-2026-9410MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is…

  • CVE-2026-9409MedMay 25, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to…