VYPR

CWE-286

Incorrect User Management

ClassIncomplete

Description

The product does not properly manage a user within its environment.

Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (8)

  • CVE-2024-48853CriMay 22, 2025
    risk 0.59cvss 9.0epss 0.00

    An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

  • CVE-2026-35638HigApr 9, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy…

  • CVE-2022-35503HigApr 22, 2024
    risk 0.49cvss 7.5epss 0.01

    Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the…

  • CVE-2021-26262MedNov 19, 2021
    risk 0.36cvss 5.5epss 0.01

    Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  • CVE-2025-64725Dec 15, 2025
    risk 0.00cvss epss 0.00

    Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.

  • CVE-2025-64521Nov 19, 2025
    risk 0.00cvss epss 0.00

    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this…

  • CVE-2025-59943Oct 3, 2025
    risk 0.00cvss epss 0.00

    phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier…

  • CVE-2024-9312Oct 10, 2024
    risk 0.00cvss epss 0.00

    Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.