VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 10 of 77
  • CVE-2021-21389HigMar 26, 2021
    risk 0.54cvss 8.1epss 0.14

    BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability…

  • CVE-2017-4915HigMay 22, 2017
    risk 0.54cvss 7.8epss 0.05

    VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

  • CVE-2026-53738HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

  • CVE-2026-24724HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File…

  • CVE-2026-8046HigMay 26, 2026
    risk 0.53cvss 8.1epss 0.00

    The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.

  • CVE-2026-44553HigMay 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked…

  • CVE-2026-44633HigMay 14, 2026
    risk 0.53cvss 8.1epss 0.00

    Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object…

  • CVE-2026-44260HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no…

  • CVE-2026-26289HigMay 12, 2026
    risk 0.53cvss 8.2epss 0.00

    PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

  • CVE-2026-42349HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when…

  • CVE-2025-40897HigApr 15, 2026
    risk 0.53cvss 8.1epss 0.00

    An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality…

  • CVE-2026-23925HigMar 6, 2026
    risk 0.53cvss 8.1epss 0.00

    An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit…

  • CVE-2026-21721HigJan 27, 2026
    risk 0.53cvss 8.1epss 0.01

    The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an…

  • CVE-2025-43922HigApr 21, 2025
    risk 0.53cvss 8.1epss 0.00

    The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM.

  • CVE-2025-43917HigApr 19, 2025
    risk 0.53cvss 8.2epss 0.00

    In Pritunl Client before 1.3.4220.57, an administrator with access to /Applications can escalate privileges after uninstalling the product. Specifically, an administrator can insert a new file at the pathname of the removed pritunl-service file. This file then is executed by a…

  • CVE-2025-29997HigMar 13, 2025
    risk 0.53cvss epss 0.00

    This vulnerability exists in the CAP back office application due to improper authorization checks on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating API request URL to gain unauthorized access to other user accounts.

  • CVE-2023-51405HigApr 24, 2024
    risk 0.53cvss 8.2epss 0.01

    Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74.

  • CVE-2023-4853HigSep 20, 2023
    risk 0.53cvss 8.1epss 0.01

    A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting…

  • CVE-2023-37579HigJul 12, 2023
    risk 0.53cvss 8.2epss 0.01

    Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many…

  • CVE-2023-30428HigJul 12, 2023
    risk 0.53cvss 8.2epss 0.01

    Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Broker's Rest Producer allows authenticated user with a custom HTTP header to produce a message to any topic using the broker's admin role. This issue affects Apache Pulsar Brokers: from 2.9.0…