VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 30 of 52
  • CVE-2026-35607HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 ("self-registered users don't get execute perms") stripped Execute permission and Commands from…

  • CVE-2026-34528HigApr 1, 2026
    risk 0.46cvss 8.1epss 0.01

    File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips…

  • CVE-2026-4824HigMar 25, 2026
    risk 0.46cvss 7.0epss 0.00

    A vulnerability has been found in Enter Software Iperius Backup up to 8.7.3. Affected by this issue is some unknown functionality of the component Backup Job Configuration File Handler. The manipulation leads to improper privilege management. The attack must be carried out…

  • CVE-2026-3629HigMar 21, 2026
    risk 0.46cvss 8.1epss 0.00

    The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via…

  • CVE-2026-2144HigFeb 14, 2026
    risk 0.46cvss 8.1epss 0.00

    The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible…

  • CVE-2025-13917HigJan 28, 2026
    risk 0.46cvss 7.0epss 0.00

    WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

  • CVE-2025-53914HigSep 9, 2025
    risk 0.46cvss epss 0.00

    Excessive Privileges vulnerability in Calix GigaCenter ONT (Broadcom SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G.

  • CVE-2025-53913HigSep 9, 2025
    risk 0.46cvss epss 0.00

    Excessive Privileges vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows Privilege Abuse.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE, 812G, 813G, 818G.

  • CVE-2024-48729HigJul 25, 2025
    risk 0.46cvss 7.1epss 0.00

    An issue in ETSI Open-Source MANO (OSM) 14.0.x before 14.0.3, 15.0.x before 15.0.2, 16.0.0, and 17.0.0 allows a remote authenticated attacker to escalate privileges via the /osm/admin/v1/users component.

  • CVE-2025-53003HigJul 1, 2025
    risk 0.46cvss epss 0.00

    The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including…

  • CVE-2025-4085HigApr 29, 2025
    risk 0.46cvss 7.1epss 0.00

    An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

  • CVE-2024-3656HigOct 9, 2024
    risk 0.46cvss 8.1epss 0.03

    A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

  • CVE-2024-3137HigApr 2, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Privilege Management in uvdesk/community-skeleton

  • CVE-2022-21699HigJan 19, 2022
    risk 0.46cvss 8.2epss 0.01

    IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing…

  • CVE-2020-1742HigJun 7, 2021
    risk 0.46cvss 7.0epss 0.00

    An insecure modification vulnerability flaw was found in containers using nmstate/kubernetes-nmstate-handler. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. Versions before kubernetes-nmstate-handler-container-v2.…

  • CVE-2017-15055HigNov 27, 2017
    risk 0.46cvss 8.1epss 0.01

    TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the…

  • CVE-2017-6767HigAug 17, 2017
    risk 0.46cvss 7.1epss 0.01

    A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to gain higher privileges than the account is assigned. The attacker will be granted the privileges of the last user to log in, regardless of whether those…

  • CVE-2017-6728HigJul 10, 2017
    risk 0.46cvss 7.0epss 0.00

    A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary code at the root privilege level on an affected system, because of Incorrect Permissions. More Information: CSCvb99389. Known Affected Releases: 6.2.1.BASE.…

  • CVE-2017-6339MedApr 5, 2017
    risk 0.46cvss 6.5epss 0.04

    Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to…

  • CVE-2016-2059HigMay 5, 2016
    risk 0.46cvss 7.0epss 0.00

    The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a…