CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 16 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-28965 | Hig | 0.56 | 8.6 | 0.00 | Jul 16, 2025 | Missing Authorization vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects URL Shortener: from n/a through <= 3.0.7. | ||
| CVE-2025-4430 | Hig | 0.56 | — | 0.00 | May 14, 2025 | Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024). | ||
| CVE-2025-26961 | Hig | 0.56 | 8.6 | 0.00 | Mar 15, 2025 | Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Fresh Framework: from n/a through <= 1.70.0. | ||
| CVE-2024-34378 | Hig | 0.56 | 8.6 | 0.00 | May 6, 2024 | Missing Authorization vulnerability in LeadConnector.This issue affects LeadConnector: from n/a through 1.7. | ||
| CVE-2024-25911 | Hig | 0.56 | 8.6 | 0.01 | Apr 16, 2024 | Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue affects MoveTo: from n/a through 6.2. | ||
| CVE-2024-0324 | Hig | 0.56 | 8.2 | 0.02 | Feb 5, 2024 | The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all… | ||
| CVE-2023-6600 | Hig | 0.56 | 8.6 | 0.00 | Jan 3, 2024 | The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to,… | ||
| CVE-2022-46850 | Hig | 0.56 | 8.6 | 0.01 | Jun 19, 2023 | Auth. (author+) Broken Access Control vulnerability leading to Arbitrary File Deletion in Nabil Lemsieh Easy Media Replace plugin <= 0.1.3 versions. | ||
| CVE-2020-36712 | Hig | 0.56 | 8.6 | 0.01 | Jun 7, 2023 | The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for… | ||
| CVE-2021-44793 | Hig | 0.56 | 8.6 | 0.01 | Jan 27, 2022 | Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a… | ||
| CVE-2017-7914 | Hig | 0.56 | 8.6 | 0.07 | Jun 14, 2017 | A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429,… | ||
| CVE-2026-45549 | Hig | 0.55 | 8.5 | 0.00 | Jun 10, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/') and @jwt_required() only — no role check, no group… | ||
| CVE-2026-44482 | Cri | 0.55 | 9.6 | 0.00 | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local… | ||
| CVE-2025-13348 | Hig | 0.55 | — | 0.00 | Feb 2, 2026 | An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to… | ||
| CVE-2024-36326 | Hig | 0.55 | 8.4 | 0.00 | Sep 6, 2025 | Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity. | ||
| CVE-2025-49406 | Hig | 0.55 | 8.5 | 0.00 | Aug 20, 2025 | Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1. | ||
| CVE-2025-4046 | Hig | 0.55 | 8.5 | 0.00 | Aug 19, 2025 | A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization | ||
| CVE-2025-42983 | Hig | 0.55 | 8.5 | 0.00 | Jun 10, 2025 | SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in a loss of data or rendering the system unusable. On successful exploitation, an attacker can completely delete database entries but is… | ||
| CVE-2025-2298 | Hig | 0.55 | — | 0.00 | Apr 21, 2025 | An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability… | ||
| CVE-2024-6406 | Hig | 0.55 | — | 0.00 | Sep 18, 2024 | Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5.0. |
- risk 0.56cvss 8.6epss 0.00
Missing Authorization vulnerability in Md Yeasin Ul Haider URL Shortener exact-links allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects URL Shortener: from n/a through <= 3.0.7.
- risk 0.56cvss —epss 0.00
Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024).
- risk 0.56cvss 8.6epss 0.00
Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Fresh Framework: from n/a through <= 1.70.0.
- risk 0.56cvss 8.6epss 0.00
Missing Authorization vulnerability in LeadConnector.This issue affects LeadConnector: from n/a through 1.7.
- risk 0.56cvss 8.6epss 0.01
Missing Authorization vulnerability in Skymoon Labs MoveTo.This issue affects MoveTo: from n/a through 6.2.
- risk 0.56cvss 8.2epss 0.02
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all…
- risk 0.56cvss 8.6epss 0.00
The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to,…
- risk 0.56cvss 8.6epss 0.01
Auth. (author+) Broken Access Control vulnerability leading to Arbitrary File Deletion in Nabil Lemsieh Easy Media Replace plugin <= 0.1.3 versions.
- risk 0.56cvss 8.6epss 0.01
The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for…
- risk 0.56cvss 8.6epss 0.01
Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a…
- risk 0.56cvss 8.6epss 0.07
A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429,…
- risk 0.55cvss 8.5epss 0.00
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/') and @jwt_required() only — no role check, no group…
- risk 0.55cvss 9.6epss 0.00
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local…
- risk 0.55cvss —epss 0.00
An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to…
- risk 0.55cvss 8.4epss 0.00
Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity.
- risk 0.55cvss 8.5epss 0.00
Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1.
- risk 0.55cvss 8.5epss 0.00
A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization
- risk 0.55cvss 8.5epss 0.00
SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in a loss of data or rendering the system unusable. On successful exploitation, an attacker can completely delete database entries but is…
- risk 0.55cvss —epss 0.00
An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability…
- risk 0.55cvss —epss 0.00
Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5.0.