VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 18 of 278
  • CVE-2017-13209HigJan 12, 2018
    risk 0.54cvss 7.8epss 0.01

    In the ServiceManager::add function in the hardware service manager, there is an insecure permissions check based on the PID of the caller which could allow an application or service to replace a HAL service with its own service. This could lead to a local elevation of privilege…

  • CVE-2017-3813HigFeb 9, 2017
    risk 0.54cvss 7.8epss 0.02

    A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient…

  • CVE-2026-49065HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.

  • CVE-2026-42664HigJun 15, 2026
    risk 0.53cvss 8.2epss 0.00

    Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions.

  • CVE-2026-7368HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any…

  • CVE-2026-33137CriMay 20, 2026
    risk 0.53cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes…

  • CVE-2026-34358HigMay 19, 2026
    risk 0.53cvss 8.1epss 0.00

    CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write…

  • CVE-2026-39432HigMay 12, 2026
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53.

  • CVE-2026-5944HigApr 28, 2026
    risk 0.53cvss 8.2epss 0.01

    An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. …

  • CVE-2026-40623HigApr 24, 2026
    risk 0.53cvss 8.1epss 0.00

    A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as…

  • CVE-2026-31921HigMar 25, 2026
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.

  • CVE-2025-67977HigFeb 20, 2026
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8.

  • CVE-2025-67956HigJan 22, 2026
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.

  • CVE-2026-0511HigJan 13, 2026
    risk 0.53cvss 8.1epss 0.00

    SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.

  • CVE-2026-0656HigJan 7, 2026
    risk 0.53cvss 8.2epss 0.00

    The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature…

  • CVE-2025-13334HigDec 12, 2025
    risk 0.53cvss 8.1epss 0.00

    The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for…

  • CVE-2025-58207HigNov 6, 2025
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.5.

  • CVE-2025-49910HigOct 22, 2025
    risk 0.53cvss 8.2epss 0.00

    Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPGuppy: from n/a through <= 1.1.4.

  • CVE-2025-10352CriOct 8, 2025
    risk 0.53cvss epss 0.00

    Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'.

  • CVE-2025-10184HigSep 23, 2025
    risk 0.53cvss epss 0.04

    The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to…