VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 6 of 278
  • CVE-2026-44592CriMay 14, 2026
    risk 0.61cvss 9.4epss 0.00

    Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The…

  • CVE-2025-68018CriJan 22, 2026
    risk 0.61cvss 9.4epss 0.00

    Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1.

  • CVE-2024-54369CriDec 16, 2024
    risk 0.61cvss 9.1epss 0.02

    Missing Authorization vulnerability in ThemeHunk Zita Site Builder ai-site-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Zita Site Builder: from n/a through <= 1.0.2.

  • CVE-2024-10673HigNov 9, 2024
    risk 0.61cvss 8.8epss 0.01

    The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated…

  • CVE-2022-0492HigKEVMar 3, 2022
    risk 0.61cvss 7.8epss 0.06

    A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation…

  • CVE-2026-44125CriMay 8, 2026
    risk 0.60cvss epss 0.00

    SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session.

  • CVE-2026-5387CriApr 15, 2026
    risk 0.60cvss epss 0.00

    The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters,…

  • CVE-2025-2407CriMay 27, 2025
    risk 0.60cvss epss 0.00

    Missing Authentication & Authorization in Web-API in Mobatime AMX MTAPI v6 on IIS allows adversaries to unrestricted access via the network. The vulnerability is fixed in Version 1.5.

  • CVE-2024-8074CriNov 12, 2024
    risk 0.60cvss epss 0.00

    Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. This issue affects Nomysem: before 13.10.2024.

  • CVE-2024-10674HigNov 9, 2024
    risk 0.60cvss 8.8epss 0.02

    The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated…

  • CVE-2024-2882CriJun 27, 2024
    risk 0.60cvss epss 0.01

    SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

  • CVE-2024-4351HigMay 16, 2024
    risk 0.60cvss 8.8epss 0.01

    The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated…

  • CVE-2017-5180HigFeb 9, 2017
    risk 0.60cvss 8.8epss 0.01

    Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the…

  • CVE-2026-48881CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.00

    Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.

  • CVE-2026-45550CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group,…

  • CVE-2026-42682CriJun 1, 2026
    risk 0.59cvss 9.1epss 0.00

    Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6.

  • CVE-2026-47429criJun 1, 2026
    risk 0.59cvss epss 0.00

    ### Summary Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network. ### Impact Only users that match either of the following conditions are affected: - explicitly exposes the Vitest UI server to the network (using…

  • CVE-2026-4290CriMay 29, 2026
    risk 0.59cvss 9.1epss 0.00

    The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and…

  • CVE-2026-6512CriMay 14, 2026
    risk 0.59cvss 9.1epss 0.00

    The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to…

  • CVE-2026-31242CriMay 12, 2026
    risk 0.59cvss 9.1epss 0.00

    The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE…