VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 17 of 278
  • CVE-2025-14272HigJun 16, 2026
    risk 0.54cvss epss 0.00

    A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.

  • CVE-2026-44326CriMay 27, 2026
    risk 0.54cvss 9.4epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete…

  • CVE-2026-44315CriMay 27, 2026
    risk 0.54cvss 9.4epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management…

  • CVE-2026-35438HigMay 12, 2026
    risk 0.54cvss 8.3epss 0.01

    Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-42613CriMay 11, 2026
    risk 0.54cvss 9.4epss 0.01

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are…

  • CVE-2026-42569CriMay 9, 2026
    risk 0.54cvss 9.4epss 0.01

    phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.

  • CVE-2026-40937HigApr 22, 2026
    risk 0.54cvss 8.3epss 0.00

    RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token),…

  • CVE-2026-39397CriApr 7, 2026
    risk 0.54cvss 9.4epss 0.00

    @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level…

  • CVE-2026-33950CriApr 2, 2026
    risk 0.54cvss 9.4epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK…

  • CVE-2025-29756HigJun 11, 2025
    risk 0.54cvss epss 0.00

    SunGrow's back end users system iSolarCloud https://isolarcloud.com  uses an MQTT service to transport data from the user's connected devices to the user's web browser.  The MQTT server however did not have sufficient restrictions in place to limit the topics that a user…

  • CVE-2025-20164HigMay 7, 2025
    risk 0.54cvss 8.3epss 0.00

    A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker…

  • CVE-2025-30960HigApr 16, 2025
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8.

  • CVE-2025-26969HigMar 15, 2025
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

  • CVE-2024-56067HigDec 31, 2024
    risk 0.54cvss 7.5epss 0.10

    Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.

  • CVE-2023-38385HigDec 13, 2024
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in Artbees JupiterX Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JupiterX Core: from 3.0.0 through 3.3.0.

  • CVE-2024-38744HigNov 1, 2024
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in Upqode Plum: Spin Wheel & Email Pop-up allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS.This issue affects Plum: Spin Wheel & Email Pop-up: from n/a through 2.0.

  • CVE-2023-47783HigJun 19, 2024
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before 3.24.0.

  • CVE-2023-47771HigJun 19, 2024
    risk 0.54cvss 8.3epss 0.00

    Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18.

  • CVE-2024-5324HigJun 6, 2024
    risk 0.54cvss 8.8epss 0.02

    Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2024-5326HigMay 30, 2024
    risk 0.54cvss 8.8epss 0.01

    The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it…