VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 53 of 278
  • CVE-2026-4029HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for…

  • CVE-2026-28380MedMay 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Any Editor could delete any snapshot, even if they have no access to read or write them.

  • CVE-2026-31244MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.00

    The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote…

  • CVE-2026-31243MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.00

    The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the…

  • CVE-2026-31241MedMay 12, 2026
    risk 0.42cvss 6.5epss 0.00

    The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the…

  • CVE-2026-42461HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list…

  • CVE-2026-42137MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-42069MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-6214MedMay 7, 2026
    risk 0.42cvss 6.5epss 0.00

    The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled…

  • CVE-2026-5753MedMay 6, 2026
    risk 0.42cvss 6.5epss 0.00

    The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user…

  • CVE-2026-33489HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic…

  • CVE-2026-42228MedMay 4, 2026
    risk 0.42cvss 6.5epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution.…

  • CVE-2026-42412MedApr 29, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1.

  • CVE-2026-6706MedApr 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through…

  • CVE-2026-41464MedApr 27, 2026
    risk 0.42cvss 6.5epss 0.00

    ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers…

  • CVE-2026-6834MedApr 22, 2026
    risk 0.42cvss 6.5epss 0.00

    The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method.

  • CVE-2026-40870HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances…

  • CVE-2026-25058HigApr 20, 2026
    risk 0.42cvss 7.5epss 0.00

    Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without…

  • CVE-2026-40474HigApr 17, 2026
    risk 0.42cvss 7.6epss 0.00

    wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since…

  • CVE-2026-4666MedApr 17, 2026
    risk 0.42cvss 6.5epss 0.00

    The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action…