VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 28 of 30
  • CVE-2025-15125LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This…

  • CVE-2025-15124LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity…

  • CVE-2025-15123LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of…

  • CVE-2025-15122LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack…

  • CVE-2025-15120LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of…

  • CVE-2025-15119LowDec 28, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is…

  • CVE-2025-15084LowDec 25, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The…

  • CVE-2025-10977LowSep 25, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was identified in JeecgBoot up to 3.8.2. Impacted is an unknown function of the file /sys/tenant/deleteBatch. The manipulation of the argument ids leads to improper authorization. The attack is possible to be carried out remotely. The complexity of an attack is…

  • CVE-2025-10976LowSep 25, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was determined in JeecgBoot up to 3.8.2. This issue affects some unknown processing of the file /api/getDepartUserList. Executing manipulation of the argument departId can lead to improper authorization. The attack can be executed remotely. This attack is…

  • CVE-2025-10014LowSep 5, 2025
    risk 0.20cvss 3.1epss 0.00

    A flaw has been found in elunez eladmin up to 2.7. This impacts the function updateUserEmail of the file /api/users/updateEmail/ of the component Email Address Handler. Executing manipulation of the argument id/email can lead to improper authorization. The attack may be…

  • CVE-2025-6527LowJun 23, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The…

  • CVE-2026-5124LowMar 30, 2026
    risk 0.17cvss 3.7epss 0.00

    A security vulnerability has been detected in osrg GoBGP up to 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulation leads to improper access controls. Remote exploitation of the attack…

  • CVE-2026-5122LowMar 30, 2026
    risk 0.17cvss 3.7epss 0.00

    A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. The…

  • CVE-2025-2397LowMar 17, 2025
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been declared as problematic. This vulnerability affects unknown code of the component Telnet Service. The manipulation leads to improper…

  • CVE-2025-40571LowMay 13, 2025
    risk 0.14cvss 2.2epss 0.00

    A vulnerability has been identified in Mendix OIDC SSO (Mendix 10.12 compatible) (All versions < V4.0.1), Mendix OIDC SSO (Mendix 9 compatible) (All versions < V3.3.1), Mendix OIDC SSO V4.2 (Mendix 10 compatible) (All versions < V4.2.1), Mendix OIDC SSO V4.3 (Mendix 10…

  • CVE-2017-20199LowAug 16, 2025
    risk 0.13cvss 3.1epss 0.00

    A vulnerability was found in Buttercup buttercup-browser-extension up to 0.14.2. Affected by this vulnerability is an unknown functionality of the component Vault Handler. The manipulation results in improper access controls. The attack may be performed from a remote location. A…

  • CVE-2025-13881LowFeb 2, 2026
    risk 0.11cvss 2.7epss 0.00

    A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

  • CVE-2026-0871Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles,…

  • CVE-2025-65807Dec 10, 2025
    risk 0.00cvss epss 0.00

    An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command.

  • CVE-2025-66296Dec 1, 2025
    risk 0.00cvss epss 0.00

    Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the…