VYPR

CWE-280

Improper Handling of Insufficient Permissions or Privileges

BaseDraft

Description

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (57)

page 2 of 3
  • CVE-2026-20448MedMay 4, 2026
    risk 0.44cvss 6.7epss 0.00

    In geniezone, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10708513;…

  • CVE-2025-3931HigMay 14, 2025
    risk 0.44cvss 7.8epss 0.00

    A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and…

  • CVE-2024-8315MedMar 25, 2025
    risk 0.44cvss epss 0.00

    An Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated local attacker to read credential information.

  • CVE-2026-9792MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`…

  • CVE-2024-6697MedFeb 20, 2025
    risk 0.42cvss 6.5epss 0.00

    The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)   …

  • CVE-2026-2340MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.01

    A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with…

  • CVE-2026-44200MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and…

  • CVE-2026-44199MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they…

  • CVE-2026-44197MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could…

  • CVE-2012-4550MedJan 5, 2013
    risk 0.35cvss 5.3epss 0.02

    A flaw was found in JBoss Enterprise Application Platform. When role-based authorization is used for Enterprise Java Beans (EJB) access, the system does not correctly call the necessary authorization modules. This prevents Java Authorization Contract for Containers (JACC)…

  • CVE-2026-10549MedJun 2, 2026
    risk 0.34cvss epss 0.00

    LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database.

  • CVE-2024-35228MedMay 30, 2024
    risk 0.29cvss 5.5epss 0.00

    Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and…

  • CVE-2016-3725MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

  • CVE-2026-44201MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private…

  • CVE-2026-44198MedMay 11, 2026
    risk 0.21cvss 4.3epss 0.00

    Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability…

  • CVE-2026-3190MedMar 26, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`…

  • CVE-2025-59040MedSep 18, 2025
    risk 0.21cvss 4.3epss 0.00

    Tuleap is an Open Source Suite to improve management of software developments and collaboration. Backlog item representations do not verify the permissions of the child trackers. Users might see tracker names they should not have access to. This vulnerability is fixed in Tuleap…

  • CVE-2024-39691MedJul 5, 2024
    risk 0.21cvss 4.3epss 0.00

    matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The fix for GHSA-wm4w-7h2q-3pf7 / CVE-2024-32000 included in matrix-appservice-irc 2.0.0 relied on the Matrix homeserver-provided timestamp to determine whether a user has access to the event…

  • CVE-2024-4468MedJun 8, 2024
    risk 0.21cvss 4.3epss 0.00

    The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers…

  • CVE-2024-27837LowMay 14, 2024
    risk 0.21cvss 3.3epss 0.00

    A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. A local attacker may gain access to Keychain items.