VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 33 of 77
  • CVE-2025-15390MedDec 31, 2025
    risk 0.41cvss 6.3epss 0.00

    A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and…

  • CVE-2025-11438MedOct 8, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed…

  • CVE-2025-23262MedSep 4, 2025
    risk 0.41cvss 6.3epss 0.00

    NVIDIA ConnectX contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges,…

  • CVE-2025-9602MedAug 29, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

  • CVE-2025-8807MedAug 10, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The…

  • CVE-2025-46569HigMay 1, 2025
    risk 0.41cvss epss 0.00

    Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego…

  • CVE-2024-43954MedAug 29, 2024
    risk 0.41cvss 6.3epss 0.00

    Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1.

  • CVE-2022-29946MedJul 11, 2024
    risk 0.41cvss 6.3epss 0.00

    NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit…

  • CVE-2024-1677MedMay 2, 2024
    risk 0.41cvss 6.3epss 0.01

    The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on 42 separate AJAX functions in all…

  • CVE-2024-27309HigApr 12, 2024
    risk 0.41cvss 7.4epss 0.01

    While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL…

  • CVE-2023-40610MedNov 27, 2023
    risk 0.41cvss 6.3epss 0.01

    Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially…

  • CVE-2020-7692HigJul 9, 2020
    risk 0.41cvss 7.4epss 0.02

    PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that…

  • CVE-2018-1000152MedApr 5, 2018
    risk 0.41cvss 6.3epss 0.01

    An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java,…

  • CVE-2016-9575MedMar 13, 2018
    risk 0.41cvss 6.3epss 0.01

    Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates…

  • CVE-2017-6590MedMar 9, 2017
    risk 0.41cvss 6.3epss 0.00

    An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user.…

  • CVE-2026-44567HigMay 15, 2026
    risk 0.40cvss 7.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the…

  • CVE-2026-44380HigMay 13, 2026
    risk 0.40cvss 7.2epss 0.00

    MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site…

  • CVE-2026-41380HigApr 28, 2026
    risk 0.40cvss 7.3epss 0.00

    OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through…

  • CVE-2026-35637HigApr 9, 2026
    risk 0.40cvss 7.3epss 0.00

    OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper…

  • CVE-2025-2515HigDec 24, 2025
    risk 0.40cvss 7.2epss 0.00

    A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege…