VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 52 of 278
  • CVE-2025-52766MedJun 2, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Printeers Printeers Print & Ship allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printeers Print & Ship: from n/a through 1.17.0.

  • CVE-2026-49385MedMay 29, 2026
    risk 0.42cvss 6.5epss 0.00

    In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts

  • CVE-2026-48151HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller…

  • CVE-2026-44321HigMay 27, 2026
    risk 0.42cvss 7.5epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly…

  • CVE-2026-42726MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5.

  • CVE-2026-3897MedMay 27, 2026
    risk 0.42cvss 6.4epss 0.00

    The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler…

  • CVE-2026-3896MedMay 27, 2026
    risk 0.42cvss 6.4epss 0.00

    The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies…

  • CVE-2026-3895MedMay 27, 2026
    risk 0.42cvss 6.4epss 0.00

    The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX…

  • CVE-2026-3279MedMay 27, 2026
    risk 0.42cvss 6.5epss 0.00

    The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce…

  • CVE-2026-9603MedMay 26, 2026
    risk 0.42cvss 6.5epss 0.00

    A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible.…

  • CVE-2026-4795MedMay 26, 2026
    risk 0.42cvss 6.5epss 0.00

    A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00(ACPS.2)C0, GS1200-8v3 firmware versions through 1.00(ACPT.2)C0,  GS1200-5HPv3 firmware versions through 1.00(ACPU.2)C0, GS1200-8HPv3 firmware versions through 1.00(ACPV.2)C0, and…

  • CVE-2026-42763MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20.

  • CVE-2026-39593MedMay 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10.

  • CVE-2026-21836MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability.  Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query.  This could enable an authenticated attacker to view…

  • CVE-2026-27405MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

  • CVE-2026-34233MedMay 19, 2026
    risk 0.42cvss 6.5epss 0.00

    CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to…

  • CVE-2026-47100HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.00

    Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting.…

  • CVE-2026-3117MedMay 18, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab…

  • CVE-2026-44555HigMay 15, 2026
    risk 0.42cvss 7.6epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, Open WebUI supports model composition via base_model_id: a user-defined model (e.g., "Cheap Assistant") can reference an existing base model (e.g.,…

  • CVE-2026-4031HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This…