VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 9 of 278
  • CVE-2026-40543HigJun 1, 2026
    risk 0.57cvss epss 0.00

    SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which…

  • CVE-2026-45625CriMay 29, 2026
    risk 0.57cvss 9.9epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their…

  • CVE-2026-7802HigMay 28, 2026
    risk 0.57cvss 8.8epss 0.00

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated…

  • CVE-2026-46414HigMay 27, 2026
    risk 0.57cvss 8.8epss 0.01

    Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but…

  • CVE-2026-46425CriMay 27, 2026
    risk 0.57cvss 9.9epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context).…

  • CVE-2026-3294HigMay 22, 2026
    risk 0.57cvss 8.8epss 0.00

    An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to…

  • CVE-2026-41315CriMay 14, 2026
    risk 0.57cvss 9.8epss 0.01

    mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in…

  • CVE-2026-6506HigMay 14, 2026
    risk 0.57cvss 8.8epss 0.00

    The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys…

  • CVE-2026-44442CriMay 13, 2026
    risk 0.57cvss 9.9epss 0.00

    ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 16.9.1.

  • CVE-2026-43575CriMay 6, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized…

  • CVE-2026-5294CriMay 5, 2026
    risk 0.57cvss 9.8epss 0.00

    The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips…

  • CVE-2026-42809CriMay 4, 2026
    risk 0.57cvss 9.9epss 0.00

    Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but…

  • CVE-2026-6963HigMay 2, 2026
    risk 0.57cvss 8.8epss 0.00

    The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access…

  • CVE-2026-3614HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with…

  • CVE-2026-40189CriApr 10, 2026
    risk 0.57cvss 9.8epss 0.01

    goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated…

  • CVE-2026-33785HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring…

  • CVE-2026-35063HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.00

    OpenPLC_V3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full…

  • CVE-2026-4326HigApr 9, 2026
    risk 0.57cvss 8.8epss 0.01

    The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the…

  • CVE-2026-33229CriApr 8, 2026
    risk 0.57cvss 9.8epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g.,…

  • CVE-2026-39355CriApr 7, 2026
    risk 0.57cvss 9.9epss 0.00

    Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other…