VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 27 of 77
  • CVE-2025-9973MedMay 11, 2026
    risk 0.42cvss 6.4epss 0.00

    Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within…

  • CVE-2025-15633MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate…

  • CVE-2026-42137MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2025-66170MedMay 8, 2026
    risk 0.42cvss 6.5epss 0.00

    The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account…

  • CVE-2026-33489HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic…

  • CVE-2026-43504MedMay 1, 2026
    risk 0.42cvss 6.5epss 0.00

    An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur.

  • CVE-2025-13480MedApr 20, 2026
    risk 0.42cvss 6.5epss 0.00

    Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This…

  • CVE-2026-32228HigApr 18, 2026
    risk 0.42cvss 7.5epss 0.00

    UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

  • CVE-2026-40515HigApr 17, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenHarness before commit bd4df81 contains a permission bypass vulnerability that allows attackers to read sensitive files by exploiting incomplete path normalization in the permission checker. Attackers can invoke the built-in grep and glob tools with sensitive root…

  • CVE-2026-35464HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.01

    pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path…

  • CVE-2026-5574MedApr 5, 2026
    risk 0.42cvss 6.5epss 0.01

    A security vulnerability has been detected in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Affected is the function deletefile of the component FsBrowseClean. The manipulation of the argument dir/path leads to missing authorization. The attack may be initiated remotely. The…

  • CVE-2026-34376HigApr 1, 2026
    risk 0.42cvss 7.5epss 0.00

    PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.0, an access-control vulnerability allows unauthenticated users to retrieve password-protected shared PDFs by directly calling the file-serving…

  • CVE-2026-34453HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.01

    SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling…

  • CVE-2026-24029MedMar 31, 2026
    risk 0.42cvss 6.5epss 0.00

    When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

  • CVE-2026-32597HigMar 13, 2026
    risk 0.42cvss 7.5epss 0.00

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token…

  • CVE-2026-1471MedMar 11, 2026
    risk 0.42cvss 6.5epss 0.00

    Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo…

  • CVE-2026-29087HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.00

    @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static…

  • CVE-2026-1999MedFeb 18, 2026
    risk 0.42cvss 6.5epss 0.00

    An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests.…

  • CVE-2026-25729MedFeb 6, 2026
    risk 0.42cvss 6.5epss 0.00

    DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information…

  • CVE-2026-1514MedJan 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents.