VYPR

CWE-283

Unverified Ownership

BaseDraft

Description

The product does not properly verify that a critical resource is owned by the proper entity.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (14)

  • CVE-2020-8554MedJan 21, 2021
    risk 0.43cvss 6.3epss 0.09

    Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation…

  • CVE-2026-4269HigMar 16, 2026
    risk 0.42cvss 7.5epss 0.00

    A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore…

  • CVE-2026-44707MedMay 26, 2026
    risk 0.37cvss 6.8epss 0.00

    Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email…

  • CVE-2024-1853MedMar 14, 2024
    risk 0.36cvss 5.5epss 0.00

    Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

  • CVE-2026-44562MedMay 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/models/import endpoint allows users with the workspace.models_import permission to overwrite any existing model in the database, regardless of…

  • CVE-2025-9822MedSep 3, 2025
    risk 0.29cvss 5.5epss 0.00

    SummaryA user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available. ImpactAn administrator who usually does not have access to certain parameters, such as database credentials, can disclose them.

  • CVE-2026-0598MedFeb 6, 2026
    risk 0.27cvss 4.2epss 0.00

    A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid…

  • CVE-2026-40337MedApr 18, 2026
    risk 0.26cvss 5.1epss 0.00

    The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or IO capability is able to interact with another task's IRQ line through the __sys_int_* syscall familly. Prior to version 0.4.7,…

  • CVE-2025-12815MedNov 6, 2025
    risk 0.21cvss 4.3epss 0.00

    An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user's active desktop session metadata, including periodical desktop preview…

  • CVE-2026-29788Mar 6, 2026
    risk 0.00cvss epss 0.00

    TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports.…

  • CVE-2026-27486Feb 21, 2026
    risk 0.00cvss epss 0.00

    OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts,…

  • CVE-2026-26016Feb 19, 2026
    risk 0.00cvss epss 0.00

    Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a…

  • CVE-2025-47940May 20, 2025
    risk 0.00cvss epss 0.00

    TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend users without system maintainer privileges can escalate their privileges and…

  • CVE-2023-30544Apr 24, 2023
    risk 0.00cvss epss 0.00

    Kiwi TCMS is an open source test management system. In versions of Kiwi TCMS prior to 12.2, users were able to update their email addresses via the `My profile` admin page. This page allowed them to change the email address registered with their account without the ownership…