CWE-280
Improper Handling of Insufficient Permissions or Privileges
Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (57)
page 1 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-6573 | — | Cri | 0.64 | 9.8 | 0.00 | Aug 9, 2025 | Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE). | |
| CVE-2024-5163 | Cri | 0.64 | 9.8 | 0.01 | Jun 17, 2024 | Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks. | ||
| CVE-2026-40371 | Hig | 0.57 | 8.8 | 0.01 | Jun 9, 2026 | Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-8109 | — | Hig | 0.57 | 8.8 | 0.00 | Aug 4, 2025 | Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory. | |
| CVE-2025-27025 | — | Hig | 0.57 | 8.8 | 0.01 | Jul 2, 2025 | The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system.… | |
| CVE-2023-38298 | Hig | 0.57 | 8.8 | 0.00 | Apr 22, 2024 | Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining… | ||
| CVE-2024-43702 | — | Hig | 0.53 | 8.1 | 0.00 | Nov 30, 2024 | Software installed and run as a non-privileged user may conduct improper GPU system calls to allow unprivileged access to arbitrary physical memory page. | |
| CVE-2026-27910 | Hig | 0.51 | 7.8 | 0.00 | Apr 14, 2026 | Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-2123 | Hig | 0.51 | 7.8 | 0.00 | Mar 31, 2026 | A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting… | ||
| CVE-2026-20817 | Hig | 0.51 | 7.8 | 0.05 | Jan 13, 2026 | Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | ||
| CVE-2025-43527 | Hig | 0.51 | 7.8 | 0.00 | Dec 12, 2025 | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26.2. An app may be able to gain root privileges. | ||
| CVE-2025-30453 | Hig | 0.51 | 7.8 | 0.00 | May 12, 2025 | The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to gain root privileges. | ||
| CVE-2025-0478 | Hig | 0.51 | 7.8 | 0.00 | Mar 24, 2025 | Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages… | ||
| CVE-2024-43705 | — | Hig | 0.51 | 7.8 | 0.00 | Dec 28, 2024 | Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory. | |
| CVE-2026-24096 | Hig | 0.50 | 8.8 | 0.00 | Apr 1, 2026 | Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information | ||
| CVE-2024-6660 | Hig | 0.50 | 8.8 | 0.01 | Jul 17, 2024 | The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_f… | ||
| CVE-2026-6805 | Hig | 0.49 | 7.5 | 0.00 | May 7, 2026 | Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | ||
| CVE-2025-46740 | — | Hig | 0.49 | 7.5 | 0.00 | May 12, 2025 | An authenticated user without user administrative permissions could change the administrator Account Name. | |
| CVE-2025-0468 | — | Hig | 0.46 | 7.1 | 0.00 | Apr 4, 2025 | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages… | |
| CVE-2024-12430 | Hig | 0.46 | 7.0 | 0.00 | Jan 7, 2025 | An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject… |
- risk 0.64cvss 9.8epss 0.00
Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE).
- risk 0.64cvss 9.8epss 0.01
Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.
- risk 0.57cvss 8.8epss 0.01
Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.
- risk 0.57cvss 8.8epss 0.00
Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory.
- risk 0.57cvss 8.8epss 0.01
The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system.…
- risk 0.57cvss 8.8epss 0.00
Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining…
- risk 0.53cvss 8.1epss 0.00
Software installed and run as a non-privileged user may conduct improper GPU system calls to allow unprivileged access to arbitrary physical memory page.
- risk 0.51cvss 7.8epss 0.00
Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally.
- risk 0.51cvss 7.8epss 0.00
A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting…
- risk 0.51cvss 7.8epss 0.05
Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
- risk 0.51cvss 7.8epss 0.00
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26.2. An app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages…
- risk 0.51cvss 7.8epss 0.00
Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory.
- risk 0.50cvss 8.8epss 0.00
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
- risk 0.50cvss 8.8epss 0.01
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_f…
- risk 0.49cvss 7.5epss 0.00
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.
- risk 0.49cvss 7.5epss 0.00
An authenticated user without user administrative permissions could change the administrator Account Name.
- risk 0.46cvss 7.1epss 0.00
Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages…
- risk 0.46cvss 7.0epss 0.00
An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject…