VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 44 of 77
  • CVE-2026-34600MedMay 19, 2026
    risk 0.30cvss 5.7epss 0.00

    Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully…

  • CVE-2026-21789MedMay 18, 2026
    risk 0.30cvss 4.6epss 0.00

    HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

  • CVE-2026-35655MedApr 10, 2026
    risk 0.30cvss 5.7epss 0.00

    OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and…

  • CVE-2025-11060MedSep 26, 2025
    risk 0.30cvss 5.7epss 0.00

    A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or…

  • CVE-2025-1417MedMay 21, 2025
    risk 0.30cvss epss 0.00

    In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and device UUIDs. The last one can be used for…

  • CVE-2024-44137MedOct 28, 2024
    risk 0.30cvss 4.6epss 0.00

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An attacker with physical access may be able to share items from the lock screen.

  • CVE-2023-38503MedJul 25, 2023
    risk 0.30cvss 5.7epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in…

  • CVE-2026-35370MedApr 22, 2026
    risk 0.29cvss 4.4epss 0.00

    The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and…

  • CVE-2026-5383MedApr 7, 2026
    risk 0.29cvss 4.4epss 0.00

    An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This…

  • CVE-2025-43336MedNov 4, 2025
    risk 0.29cvss 4.4epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app with root privileges may be able to access private information.

  • CVE-2025-54569MedJul 28, 2025
    risk 0.29cvss 4.5epss 0.00

    In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation.

  • CVE-2024-2473MedJun 11, 2024
    risk 0.29cvss 5.3epss 0.01

    The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any…

  • CVE-2022-0762MedFeb 26, 2022
    risk 0.29cvss 5.5epss 0.01

    Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.

  • CVE-2021-21411MedMar 26, 2021
    risk 0.29cvss 5.5epss 0.01

    OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization…

  • CVE-2018-5520MedMay 2, 2018
    risk 0.29cvss 4.4epss 0.01

    On an F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.1, or 11.2.1-11.6.3.1 system configured in Appliance mode, the TMOS Shell (tmsh) may allow an administrative user to use the dig utility to gain unauthorized access to file system resources.

  • CVE-2026-44169MedJun 12, 2026
    risk 0.28cvss 4.3epss 0.00

    MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege.…

  • CVE-2026-6277MedJun 11, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security…

  • CVE-2026-45563MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history//<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user…

  • CVE-2026-10616MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to…

  • CVE-2026-9048MedJun 2, 2026
    risk 0.28cvss 4.3epss 0.00

    The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data…