CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,549)
page 51 of 278| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49775 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions. | ||
| CVE-2026-48887 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. | ||
| CVE-2026-42659 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions. | ||
| CVE-2026-42640 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions. | ||
| CVE-2026-40795 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Amelia <= 2.2 versions. | ||
| CVE-2026-40794 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in myCred <= 3.0.3 versions. | ||
| CVE-2026-40793 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Groundhogg < 4.4.1 versions. | ||
| CVE-2026-40773 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions. | ||
| CVE-2026-40743 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. | ||
| CVE-2026-39594 | Med | 0.42 | 6.4 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. | ||
| CVE-2026-39584 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions. | ||
| CVE-2026-39525 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. | ||
| CVE-2026-39515 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Motors < 1.4.107 versions. | ||
| CVE-2026-34892 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions. | ||
| CVE-2025-69332 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Bookify <= 1.1.1 versions. | ||
| CVE-2026-48969 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | ||
| CVE-2025-64215 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16. | ||
| CVE-2026-11852 | Med | 0.42 | 6.5 | 0.00 | Jun 10, 2026 | Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see… | ||
| CVE-2026-47346 | Hig | 0.42 | — | 0.00 | Jun 9, 2026 | Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements,… | ||
| CVE-2026-11607 | Hig | 0.42 | — | 0.00 | Jun 9, 2026 | Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements,… |
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Amelia <= 2.2 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in myCred <= 3.0.3 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Groundhogg < 4.4.1 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress <= 4.7.9 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
- risk 0.42cvss 6.4epss 0.00
Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.
- risk 0.42cvss 6.5epss 0.00
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Motors < 1.4.107 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
- risk 0.42cvss 6.5epss 0.00
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16.
- risk 0.42cvss 6.5epss 0.00
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see…
- risk 0.42cvss —epss 0.00
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements,…
- risk 0.42cvss —epss 0.00
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements,…