CWE-286
Incorrect User Management
Description
The product does not properly manage a user within its environment.
Hierarchy (View 1000)
CVEs mapped to this weakness (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-48853 | Cri | 0.59 | 9.0 | 0.00 | May 22, 2025 | An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. | ||
| CVE-2026-35638 | Hig | 0.50 | 8.8 | 0.00 | Apr 9, 2026 | OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy… | ||
| CVE-2022-35503 | Hig | 0.49 | 7.5 | 0.01 | Apr 22, 2024 | Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the… | ||
| CVE-2021-26262 | Med | 0.36 | 5.5 | 0.01 | Nov 19, 2021 | Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | ||
| CVE-2025-64725 | 0.00 | — | 0.00 | Dec 15, 2025 | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | |||
| CVE-2025-64521 | 0.00 | — | 0.00 | Nov 19, 2025 | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this… | |||
| CVE-2025-59943 | 0.00 | — | 0.00 | Oct 3, 2025 | phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier… | |||
| CVE-2024-9312 | 0.00 | — | 0.00 | Oct 10, 2024 | Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. |
- risk 0.59cvss 9.0epss 0.00
An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
- risk 0.50cvss 8.8epss 0.00
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy…
- risk 0.49cvss 7.5epss 0.01
Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the…
- risk 0.36cvss 5.5epss 0.01
Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
- CVE-2025-64725Dec 15, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
- CVE-2025-64521Nov 19, 2025risk 0.00cvss —epss 0.00
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this…
- CVE-2025-59943Oct 3, 2025risk 0.00cvss —epss 0.00
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier…
- CVE-2024-9312Oct 10, 2024risk 0.00cvss —epss 0.00
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.