VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 1 of 77
  • CVE-2010-2965CriAug 5, 2010
    risk 0.68cvss 9.8epss 0.58

    The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls,…

  • CVE-2024-6782CriAug 6, 2024
    risk 0.67cvss 9.8epss 0.83

    Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

  • CVE-2026-48303CriJun 9, 2026
    risk 0.65cvss 10.0epss 0.01

    Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is…

  • CVE-2026-44330CriMay 27, 2026
    risk 0.65cvss 10.0epss 0.00

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token…

  • CVE-2026-42160CriMay 8, 2026
    risk 0.65cvss epss 0.00

    Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization…

  • CVE-2026-33105CriApr 3, 2026
    risk 0.65cvss 10.0epss 0.01

    Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-32213CriApr 3, 2026
    risk 0.65cvss 10.0epss 0.01

    Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-49825CriJun 17, 2025
    risk 0.65cvss 9.8epss 0.08

    Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.

  • CVE-2023-4617CriDec 19, 2024
    risk 0.65cvss 10.0epss 0.01

    Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values.  This issue affects Govee Home applications on Android…

  • CVE-2026-45552CriJun 10, 2026
    risk 0.64cvss 9.9epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter,…

  • CVE-2026-41283CriJun 4, 2026
    risk 0.64cvss 9.9epss 0.01

    OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials.

  • CVE-2026-3660CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.01

    IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application.

  • CVE-2026-43999CriMay 13, 2026
    risk 0.64cvss 9.9epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host…

  • CVE-2026-43948CriMay 12, 2026
    risk 0.64cvss 9.9epss 0.00

    wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the…

  • CVE-2026-1524CriMar 11, 2026
    risk 0.64cvss 9.8epss 0.00

    An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization…

  • CVE-2020-36948CriJan 27, 2026
    risk 0.64cvss 9.8epss 0.01

    VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper…

  • CVE-2019-25237CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.00

    V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod'…

  • CVE-2025-24233CriMar 31, 2025
    risk 0.64cvss 9.8epss 0.01

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to read or write to protected files.

  • CVE-2024-31695CriNov 14, 2024
    risk 0.64cvss 9.8epss 0.01

    A misconfiguration in the fingerprint authentication mechanism of Binance: BTC, Crypto and NFTS v2.85.4, allows attackers to bypass authentication when adding a new fingerprint.

  • CVE-2024-48784CriOct 11, 2024
    risk 0.64cvss 9.8epss 0.01

    An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process.