VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 17 of 77
  • CVE-2026-41235HigJun 4, 2026
    risk 0.49cvss epss 0.00

    Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when…

  • CVE-2026-34646HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures…

  • CVE-2026-34645HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.01

    Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures…

  • CVE-2026-28873HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.

  • CVE-2026-4933HigMar 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

  • CVE-2026-3573HigMar 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.

  • CVE-2025-65073HigNov 17, 2025
    risk 0.49cvss 7.5epss 0.00

    OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.

  • CVE-2025-65002HigNov 12, 2025
    risk 0.49cvss 7.5epss 0.00

    Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.

  • CVE-2025-48044HigOct 17, 2025
    risk 0.49cvss epss 0.01

    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3…

  • CVE-2025-48043HigOct 10, 2025
    risk 0.49cvss epss 0.00

    Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/authorizer/authorizer.ex and program routines 'Elixir.Ash.Policy.Authorizer':strict_filters/2. This issue affects ash: from…

  • CVE-2024-58260HigOct 2, 2025
    risk 0.49cvss 7.6epss 0.00

    A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts.

  • CVE-2025-41246HigSep 29, 2025
    risk 0.49cvss 7.6epss 0.00

    VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access…

  • CVE-2025-24221HigMar 31, 2025
    risk 0.49cvss 7.5epss 0.01

    This issue was addressed with improved data access restriction. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, visionOS 2.4. Sensitive keychain data may be accessible from an iOS backup.

  • CVE-2025-27822HigMar 7, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in the Masquerade module before 1.x-1.0.1 for Backdrop CMS. It allows people to temporarily switch to another user account. The module provides a "Masquerade as admin" permission to restrict people (who can masquerade) from switching to an account with…

  • CVE-2024-50647HigNov 15, 2024
    risk 0.49cvss 7.5epss 0.00

    The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through https://ip:port/api/myapp/index/user/info?id=1 And modify the ID value to obtain sensitive user information beyond…

  • CVE-2024-44289HigOct 28, 2024
    risk 0.49cvss 7.5epss 0.01

    A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to read sensitive location information.

  • CVE-2024-48792HigOct 14, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-40530HigAug 5, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.

  • CVE-2024-28627HigApr 23, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file.

  • CVE-2023-22248HigJun 15, 2023
    risk 0.49cvss 7.5epss 0.01

    Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data.…