VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 28 of 52
  • CVE-2026-8176HigJun 16, 2026
    risk 0.49cvss 7.5epss 0.00

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent…

  • CVE-2026-11296HigJun 5, 2026
    risk 0.49cvss 7.5epss 0.00

    Inappropriate implementation in ImageCapture in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-23663HigMay 22, 2026
    risk 0.49cvss 7.5epss 0.01

    Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-28976HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    An information leakage was addressed with additional validation. This issue is fixed in macOS Tahoe 26.5. An app may be able to gain root privileges.

  • CVE-2026-3621HigApr 23, 2026
    risk 0.49cvss 7.5epss 0.00

    IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.

  • CVE-2025-13292HigDec 6, 2025
    risk 0.49cvss epss 0.00

    A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in…

  • CVE-2025-66314HigNov 27, 2025
    risk 0.49cvss 7.5epss 0.00

    Improper Privilege Management vulnerability in ZTE ElasticNet UME R32 on Linux allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ElasticNet UME R32: ElasticNet_UME_R32_V16.23.20.04.

  • CVE-2025-1037HigOct 28, 2025
    risk 0.49cvss epss 0.00

    By making minor configuration changes to the TropOS 4th Gen device, an authenticated user with the ability to run user level shell commands can enable access via secure shell (SSH) to an unrestricted root shell. This is possible through abuse of a particular set of scripts and…

  • CVE-2025-9038HigSep 22, 2025
    risk 0.49cvss epss 0.00

    Improper Privilege Management vulnerability in GE Vernova S1 Agile Configuration Software on Windows allows Privilege Escalation.This issue affects S1 Agile Configuration Software: 3.1 and previous version.

  • CVE-2024-11218HigJan 22, 2025
    risk 0.49cvss 8.6epss 0.00

    A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and…

  • CVE-2024-46549HigSep 30, 2024
    risk 0.49cvss 7.6epss 0.00

    An issue in the TP-Link MQTT Broker and API gateway of TP-Link Kasa KP125M v1.0.3 allows attackers to establish connections by impersonating devices owned by other users.

  • CVE-2024-41228HigSep 23, 2024
    risk 0.49cvss 7.6epss 0.00

    A symlink following vulnerability in the pouch cp function of AliyunContainerService pouch v1.3.1 allows attackers to escalate privileges and write arbitrary files.

  • CVE-2024-39206HigJul 2, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue discovered in MSP360 Backup Agent v7.8.5.15 and v7.9.4.84 allows attackers to obtain network share credentials used in a backup due to enginesettings.list being encrypted with a hard coded key.

  • CVE-2024-4988HigMay 21, 2024
    risk 0.49cvss 7.5epss 0.00

    The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.

  • CVE-2024-31237HigMay 17, 2024
    risk 0.49cvss 7.5epss 0.00

    Improper Privilege Management vulnerability in WP Sharks s2Member Pro allows Privilege Escalation.This issue affects s2Member Pro: from n/a through 240315.

  • CVE-2023-23990HigMay 17, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Privilege Management vulnerability in Qube One Ltd. Redirection for Contact Form 7 wpcf7-redirect allows Privilege Escalation.This issue affects Redirection for Contact Form 7: from n/a through 2.7.0.

  • CVE-2024-33398HigMay 3, 2024
    risk 0.49cvss 7.5epss 0.01

    There is a ClusterRole in piraeus-operator v2.5.0 and earlier which has been granted list secrets permission, which allows an attacker to impersonate the service account bound to this ClusterRole and use its high-risk privileges to list confidential information across the…

  • CVE-2023-33966HigMay 31, 2023
    risk 0.49cvss 8.6epss 0.01

    Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies…

  • CVE-2021-3283HigFeb 1, 2021
    risk 0.49cvss 7.5epss 0.01

    HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.

  • CVE-2018-5166HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    WebExtensions can use request redirection and a "filterReponseData" filter to bypass host permission settings to redirect network traffic and access content from a host for which they do not have explicit user permission. This vulnerability affects Firefox < 60.