VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 5 of 77
  • CVE-2026-28474CriMar 5, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an…

  • CVE-2026-2293CriFeb 27, 2026
    risk 0.57cvss 9.8epss 0.01

    A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.

  • CVE-2026-24480HigJan 27, 2026
    risk 0.57cvss epss 0.00

    QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository…

  • CVE-2020-36920HigJan 6, 2026
    risk 0.57cvss 8.8epss 0.00

    iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application…

  • CVE-2025-6892HigOct 17, 2025
    risk 0.57cvss epss 0.01

    An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This…

  • CVE-2025-10016HigSep 16, 2025
    risk 0.57cvss epss 0.00

    The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results…

  • CVE-2025-23256HigSep 4, 2025
    risk 0.57cvss 8.7epss 0.00

    NVIDIA BlueField contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges,…

  • CVE-2025-7773HigAug 14, 2025
    risk 0.57cvss epss 0.00

    A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.

  • CVE-2025-42951HigAug 12, 2025
    risk 0.57cvss 8.8epss 0.00

    Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application.

  • CVE-2025-20701HigAug 4, 2025
    risk 0.57cvss 8.8epss 0.04

    In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-53943HigJul 16, 2025
    risk 0.57cvss epss 0.00

    VoidBot Open-Source is a customizable Discord bot. VoidBot Open-Source versions 0.0.1 through 0.8.1 contain a vulnerability in the command handler where permission checks are not properly enforced for certain administrative commands. This allows users without the required roles…

  • CVE-2024-5705HigFeb 19, 2025
    risk 0.57cvss 8.8epss 0.00

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863)     Hitachi Vantara Pentaho Business…

  • CVE-2025-24500HigJan 30, 2025
    risk 0.57cvss epss 0.00

    The vulnerability allows an unauthenticated attacker to access information in PAM database.

  • CVE-2024-55579HigDec 9, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February…

  • CVE-2024-53937HigDec 2, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered on Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default with admin/admin as default credentials and is exposed over the LAN. The allows attackers to execute arbitrary commands with…

  • CVE-2024-53941HigDec 2, 2024
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.

  • CVE-2024-54124HigNov 29, 2024
    risk 0.57cvss 8.8epss 0.00

    In Click Studios Passwordstate before build 9920, there is a potential permission escalation on the edit folder screen.

  • CVE-2024-51426HigOct 30, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls.

  • CVE-2024-51425HigOct 30, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls.

  • CVE-2024-41617CriOct 24, 2024
    risk 0.57cvss 9.8epss 0.01

    Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated…