VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 18 of 52
  • CVE-2023-52209HigAug 1, 2024
    risk 0.52cvss 8.0epss 0.00

    Improper Privilege Management vulnerability in WPForms, LLC. WPForms User Registration allows Privilege Escalation.This issue affects WPForms User Registration: from n/a through 2.1.0.

  • CVE-2024-37560HigJul 12, 2024
    risk 0.52cvss 8.0epss 0.00

    Improper Privilege Management vulnerability in IqbalRony WP User Switch allows Privilege Escalation.This issue affects WP User Switch: from n/a through 1.1.0.

  • CVE-2023-47683HigMay 17, 2024
    risk 0.52cvss 8.0epss 0.00

    Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6.

  • CVE-2026-36213HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.

  • CVE-2026-12217HigJun 15, 2026
    risk 0.51cvss 7.8epss 0.00

    A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5. Impacted is an unknown function in the library dvdfabio.sys of the component Signed Kernel Driver. The manipulation leads to improper privilege management. An attack has to be approached locally. The…

  • CVE-2025-31272HigJun 11, 2026
    risk 0.51cvss 7.8epss 0.00

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges.

  • CVE-2026-11103HigJun 4, 2026
    risk 0.51cvss 7.8epss 0.00

    Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

  • CVE-2026-49189HigJun 4, 2026
    risk 0.51cvss 7.8epss 0.00

    Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations.

  • CVE-2026-0091HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2026-0089HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

  • CVE-2026-0009HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-43306HigMay 26, 2026
    risk 0.51cvss 7.8epss 0.00

    A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to gain root privileges.

  • CVE-2026-44470HigMay 13, 2026
    risk 0.51cvss 7.8epss 0.00

    The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real…

  • CVE-2026-28919HigMay 11, 2026
    risk 0.51cvss 7.8epss 0.00

    A consistency issue was addressed with improved state handling. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.

  • CVE-2026-28840HigMay 11, 2026
    risk 0.51cvss 7.8epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.4. An app may be able to gain root privileges.

  • CVE-2026-7994HigMay 6, 2026
    risk 0.51cvss 7.8epss 0.00

    Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

  • CVE-2026-37525HigMay 1, 2026
    risk 0.51cvss 7.8epss 0.00

    AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling…

  • CVE-2026-30769HigApr 29, 2026
    risk 0.51cvss 7.8epss 0.00

    An issue in the TVicPort64.sys component of EnTech Taiwan TVicPort Product v4.0, File v5.2.1.0 allows attackers to escalate privileges via sending crafted IOCTL 0x80002008 requests.

  • CVE-2026-31368HigApr 21, 2026
    risk 0.51cvss 7.8epss 0.00

    AiAssistant is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability.

  • CVE-2026-29923HigApr 9, 2026
    risk 0.51cvss 7.8epss 0.00

    The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures.