VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 7 of 77
  • CVE-2025-11862HigNov 11, 2025
    risk 0.55cvss epss 0.00

    A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API.

  • CVE-2024-48547HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48546HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48545HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48544HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48542HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2024-48541HigOct 24, 2024
    risk 0.55cvss 8.4epss 0.00

    Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.

  • CVE-2018-13109HigJul 6, 2018
    risk 0.55cvss 7.5epss 0.36

    All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by the ISP). An attacker would be…

  • CVE-2026-42882CriMay 11, 2026
    risk 0.54cvss 9.4epss 0.01

    oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path…

  • CVE-2026-42313HigMay 11, 2026
    risk 0.54cvss 8.3epss 0.00

    pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist…

  • CVE-2024-5324HigJun 6, 2024
    risk 0.54cvss 8.8epss 0.02

    Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2017-4915HigMay 22, 2017
    risk 0.54cvss 7.8epss 0.05

    VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

  • CVE-2026-53738HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.

  • CVE-2026-24724HigJun 10, 2026
    risk 0.53cvss 8.1epss 0.00

    An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File…

  • CVE-2026-8046HigMay 26, 2026
    risk 0.53cvss 8.1epss 0.00

    The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges.

  • CVE-2026-44553HigMay 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a user whose admin role has been revoked…

  • CVE-2026-44633HigMay 14, 2026
    risk 0.53cvss 8.1epss 0.00

    Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object…

  • CVE-2026-44260HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no…

  • CVE-2026-26289HigMay 12, 2026
    risk 0.53cvss 8.2epss 0.00

    PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

  • CVE-2026-42349HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when…