VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 53 of 77
  • CVE-2020-15120MedJul 27, 2020
    risk 0.25cvss 4.9epss 0.01

    In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this…

  • CVE-2017-6816MedMar 12, 2017
    risk 0.25cvss 4.9epss 0.03

    In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

  • CVE-2026-35635MedApr 9, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass…

  • CVE-2026-27447MedApr 3, 2026
    risk 0.24cvss 4.8epss 0.00

    OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The…

  • CVE-2022-39352MedNov 8, 2022
    risk 0.24cvss 4.8epss 0.00

    OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a…

  • CVE-2021-39138MedAug 19, 2021
    risk 0.24cvss 4.8epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the…

  • CVE-2017-12196MedApr 18, 2018
    risk 0.24cvss 4.8epss 0.02

    undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM…

  • CVE-2025-62487LowJan 9, 2026
    risk 0.23cvss 3.5epss 0.00

    On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among…

  • CVE-2025-59451LowOct 6, 2025
    risk 0.23cvss 3.5epss 0.00

    The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.

  • CVE-2020-8920LowDec 10, 2020
    risk 0.23cvss 3.5epss 0.00

    An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access…

  • CVE-2024-54010LowJan 8, 2025
    risk 0.22cvss 3.4epss 0.00

    A vulnerability in the firewall component of HPE Aruba Networking CX 10000 Series Switches exists. It could allow an unauthenticated adjacent attacker to conduct a packet forwarding attack against the ICMP and UDP protocol. For this attack to be successful an attacker requires…

  • CVE-2023-27903MedMar 10, 2023
    risk 0.22cvss 4.4epss 0.00

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins…

  • CVE-2021-32716MedJun 24, 2021
    risk 0.22cvss 4.4epss 0.01

    Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1…

  • CVE-2020-1729MedMay 28, 2021
    risk 0.22cvss 4.4epss 0.00

    A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a…

  • CVE-2026-2470MedJun 13, 2026
    risk 0.21cvss 4.3epss 0.00

    The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to…

  • CVE-2026-53835MedJun 12, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the…

  • CVE-2026-47236MedJun 12, 2026
    risk 0.21cvss 4.3epss 0.00

    Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and…

  • CVE-2026-32906MedMay 29, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to…

  • CVE-2026-9791MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata…

  • CVE-2026-44314MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into…