VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 3 of 77
  • CVE-2025-48757CriMay 30, 2025
    risk 0.60cvss 9.3epss 0.01

    An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable…

  • CVE-2024-48548CriOct 24, 2024
    risk 0.60cvss 9.3epss 0.00

    The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack.

  • CVE-2026-45550CriJun 10, 2026
    risk 0.59cvss 9.1epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group,…

  • CVE-2026-41248CriApr 24, 2026
    risk 0.59cvss 9.1epss 0.00

    Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This…

  • CVE-2026-22806CriJan 29, 2026
    risk 0.59cvss 9.1epss 0.00

    vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it.…

  • CVE-2025-30171CriMay 22, 2025
    risk 0.59cvss 9.0epss 0.00

    System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

  • CVE-2024-38392CriApr 2, 2025
    risk 0.59cvss 9.1epss 0.00

    Pexip Infinity Connect before 1.13.0 lacks sufficient authenticity checks during the loading of resources, and thus remote attackers can cause the application to run untrusted code.

  • CVE-2024-54530CriJan 27, 2025
    risk 0.59cvss 9.1epss 0.01

    The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, watchOS 11.2. Password autofill may fill in passwords after failing authentication.

  • CVE-2024-54512CriJan 27, 2025
    risk 0.59cvss 9.1epss 0.00

    The issue was addressed by removing the relevant flags. This issue is fixed in iOS 18.2 and iPadOS 18.2, watchOS 11.2. A system binary could be used to fingerprint a user's Apple Account.

  • CVE-2024-54662CriDec 17, 2024
    risk 0.59cvss 9.1epss 0.01

    Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control for some sockd.conf configurations involving socksmethod.

  • CVE-2024-52732CriDec 2, 2024
    risk 0.59cvss 9.1epss 0.00

    Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused.

  • CVE-2024-48772CriOct 11, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48787CriOct 11, 2024
    risk 0.59cvss 9.1epss 0.00

    An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48786CriOct 11, 2024
    risk 0.59cvss 9.1epss 0.00

    An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48778CriOct 11, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2024-48769CriOct 11, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process.

  • CVE-2024-41110CriJul 24, 2024
    risk 0.59cvss 9.9epss 0.17

    Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base…

  • CVE-2018-1245CriJul 13, 2018
    risk 0.59cvss 9.0epss 0.03

    RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security…

  • CVE-2018-7245CriApr 18, 2018
    risk 0.59cvss 9.1epss 0.01

    An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the affected devices could allow a remote attacker to change UPS control and…

  • CVE-2026-46595CriMay 22, 2026
    risk 0.58cvss 10.0epss 0.00

    Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.