VYPR

CWE-266

Incorrect Privilege Assignment

BaseDraft

Description

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

CVEs mapped to this weakness (593)

page 8 of 30
  • CVE-2025-10576HigOct 15, 2025
    risk 0.55cvss epss 0.00

    Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. HP is releasing updated audio packages to mitigate the potential vulnerabilities.

  • CVE-2024-36534HigJul 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.

  • CVE-2026-32916CriMar 31, 2026
    risk 0.54cvss 9.4epss 0.00

    OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke…

  • CVE-2026-39587HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions.

  • CVE-2026-9397HigMay 24, 2026
    risk 0.53cvss 8.1epss 0.00

    A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out…

  • CVE-2026-32488HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9.

  • CVE-2026-25334HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking-plugin-pro allows Privilege Escalation.This issue affects Salon Booking System Pro: from n/a through < 10.30.12.

  • CVE-2026-24373HigMar 25, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through <= 6.0.7.1.

  • CVE-2025-67953HigJan 22, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.

  • CVE-2025-23974HigJun 9, 2025
    risk 0.53cvss 8.1epss 0.00

    Incorrect Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login: from n/a through <= 1.4.

  • CVE-2024-50550HigOct 29, 2024
    risk 0.53cvss 8.1epss 0.01

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through <= 6.5.1.

  • CVE-2018-1088HigApr 18, 2018
    risk 0.53cvss 8.1epss 0.05

    A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

  • CVE-2025-13888CriDec 15, 2025
    risk 0.52cvss 9.1epss 0.01

    A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions…

  • CVE-2025-41255HigJun 25, 2025
    risk 0.52cvss 8.0epss 0.00

    Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6…

  • CVE-2025-23391CriApr 11, 2025
    risk 0.52cvss 9.1epss 0.00

    A Incorrect Privilege Assignment vulnerability in SUSE rancher allows a Restricted Administrator to change the password of Administrators and take over their accounts. This issue affects rancher: from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, from 2.10.0 before 2.10.4.

  • CVE-2023-38296HigApr 22, 2024
    risk 0.52cvss 8.0epss 0.00

    Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable…

  • CVE-2016-7070HigSep 11, 2018
    risk 0.52cvss 8.0epss 0.01

    A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.

  • CVE-2026-12217HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The…

  • CVE-2026-8148HigMay 8, 2026
    risk 0.51cvss 7.8epss 0.00

    NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.

  • CVE-2025-13131HigNov 13, 2025
    risk 0.51cvss 7.8epss 0.00

    A vulnerability was found in Sonarr 4.0.15.2940. The impacted element is an unknown function of the file C:\ProgramData\Sonarr\bin\Sonarr.Console.exe of the component Service. Performing manipulation results in incorrect default permissions. The attack is only possible with…