VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 38 of 77
  • CVE-2026-35627MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of…

  • CVE-2026-40071MedApr 9, 2026
    risk 0.35cvss 5.4epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated…

  • CVE-2025-68153MedApr 3, 2026
    risk 0.35cvss 6.5epss 0.00

    Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or…

  • CVE-2026-34586MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence — it does not check SharedPdf.inactive (expiration / max views) or…

  • CVE-2026-33576MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.

  • CVE-2025-14559MedJan 21, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange…

  • CVE-2025-14016MedDec 4, 2025
    risk 0.35cvss 5.4epss 0.00

    A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has…

  • CVE-2025-20381MedDec 3, 2025
    risk 0.35cvss 5.4epss 0.00

    In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP…

  • CVE-2025-13468MedNov 20, 2025
    risk 0.35cvss 5.4epss 0.00

    A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the…

  • CVE-2025-7374MedOct 10, 2025
    risk 0.35cvss 5.4epss 0.00

    The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers,…

  • CVE-2025-10696MedOct 3, 2025
    risk 0.35cvss 5.4epss 0.00

    OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who…

  • CVE-2025-9376MedAug 28, 2025
    risk 0.35cvss 6.5epss 0.00

    The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and…

  • CVE-2025-8796MedAug 10, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing…

  • CVE-2024-10306MedApr 23, 2025
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in mod_proxy_cluster. The issue is that the directive should be replaced by the directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host…

  • CVE-2025-32068MedApr 11, 2025
    risk 0.35cvss 5.4epss 0.00

    Incorrect Authorization vulnerability in The Wikimedia Foundation Mediawiki - OAuth Extension allows Authentication Bypass.This issue affects Mediawiki - OAuth Extension: from 1.39 through 1.43.

  • CVE-2024-51417MedJan 21, 2025
    risk 0.35cvss 6.4epss 0.00

    An issue in System.Linq.Dynamic.Core before 1.6.0 allows remote access to properties on reflection types and static properties/fields.

  • CVE-2025-0237MedJan 7, 2025
    risk 0.35cvss 5.4epss 0.01

    The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR…

  • CVE-2024-49256MedNov 1, 2024
    risk 0.35cvss 5.4epss 0.00

    Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0.18.

  • CVE-2024-50419MedOct 30, 2024
    risk 0.35cvss 5.4epss 0.00

    Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 9.7.

  • CVE-2024-9825MedOct 28, 2024
    risk 0.35cvss 5.4epss 0.00

    The Chef Habitat builder-api on-prem-builder package  with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token.  Habitat builder consumes builder-api habitat package as a…