Login Sign Up

CWE-285: CWE-285

301
Total CVEs
44
Critical
147
High
7.2
Avg CVSS

Yearly Trend

2026
25
2025
128
2024
69
2023
38
2022
11

Top Affected Vendors

1 Microsoft 16
2 Adobe 13
3 Apple 11
4 Atlassian 10
5 Rallly 7
6 Samsung 7
7 Cisco 6
8 Redhat 5
9 Fortinet 5
10 Linuxfoundation 4

All CWE-285 CVEs (301)

CVE-2025-65041
10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows unauthorized attackers to elevate privileges over a ...

Dec 18, 2025
CVE-2023-33189
10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Attackers can craft requests to bypass authorization ...

May 30, 2023
CVE-2022-21196
10.0

This critical vulnerability affects Cambium Networks wireless devices, allowing attackers to bypass authentication on multiple API routes. Unauthorize...

Feb 18, 2022
CVE-2021-37705
10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users from any Azure AD tenant to make authorized API cal...

Aug 13, 2021
CVE-2021-28799
10.0

CVE-2021-28799 is an improper authorization vulnerability in QNAP's HBS 3 backup software that allows remote attackers to bypass authentication and lo...

May 13, 2021
CVE-2025-49746
9.9

CVE-2025-49746 is an improper authorization vulnerability in Azure Machine Learning that allows authenticated attackers to escalate privileges over th...

Jul 18, 2025
CVE-2025-30390
9.9

This critical Azure vulnerability allows authenticated attackers to escalate privileges within cloud environments, potentially gaining administrative ...

Apr 30, 2025
CVE-2021-23140
9.9

This vulnerability allows unauthorized Command Centre Operators to modify command line macros in Gallagher Command Centre Server, potentially executin...

Jun 11, 2021
CVE-2026-25893
9.8

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to gain administrative access via ...

Feb 9, 2026
CVE-2026-25809
9.8

This vulnerability in PlaciPy version 1.0.0 allows attackers to execute code evaluation outside of intended assessment windows due to missing lifecycl...

Feb 9, 2026
CVE-2025-58386
9.8

This vulnerability allows a Power User in Terminalfour to bypass authorization checks and escalate privileges for other accounts. By intercepting and ...

Dec 2, 2025
CVE-2025-31255
9.8

This CVE describes an authorization bypass vulnerability in Apple operating systems that allows malicious apps to access sensitive user data without p...

Sep 15, 2025
CVE-2025-7778
9.8

The Icons Factory WordPress plugin contains an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any file on the s...

Aug 15, 2025
CVE-2025-4104
9.8

The Frontend Dashboard WordPress plugin versions 1.0 to 2.2.6 contain a privilege escalation vulnerability that allows unauthenticated attackers to re...

May 7, 2025
CVE-2025-3918
9.8

The Job Listings WordPress plugin versions 0.1 to 0.1.1 contain a privilege escalation vulnerability that allows unauthenticated attackers to register...

May 3, 2025
CVE-2025-30392
9.8

CVE-2025-30392 is an improper authorization vulnerability in Azure Bot Framework SDK that allows unauthorized attackers to elevate privileges over a n...

Apr 30, 2025
CVE-2025-29926
9.8

This vulnerability allows any user to exploit the WikiManager REST API in XWiki Platform to create a new wiki and gain administrator privileges. This ...

Mar 19, 2025
CVE-2025-25196
9.8

OpenFGA versions before 1.8.5 contain an authorization bypass vulnerability that allows unauthorized access when specific Check and ListObject API cal...

Feb 19, 2025
CVE-2024-56323
9.8

OpenFGA versions 1.3.8 to 1.8.2 contain an authorization bypass vulnerability when using conditions with contextual tuples and caching enabled. Attack...

Jan 13, 2025
CVE-2024-36108
9.8

CVE-2024-36108 is an authorization bypass vulnerability in casgate identity management system that allows unauthenticated attackers to access sensitiv...

May 31, 2024
CVE-2024-34257
9.8

This vulnerability allows unauthenticated attackers to execute arbitrary commands on TOTOLINK EX1800T routers by exploiting the apcliEncrypType parame...

May 8, 2024
CVE-2024-32881
9.8

Danswer AI Assistant versions before 3.63 have an authorization flaw allowing unauthorized access to Slack bot tokens. Attackers with network access c...

Apr 26, 2024
CVE-2022-3748
9.8

CVE-2022-3748 is an authentication bypass vulnerability in ForgeRock Access Management that allows attackers to gain unauthorized access without valid...

Apr 14, 2023
CVE-2022-3229
9.8

CVE-2022-3229 is an authentication bypass vulnerability in Unified Remote's web management interface that allows unauthenticated attackers to disable ...

Feb 6, 2023
CVE-2022-24083
9.8

CVE-2022-24083 is a critical authentication bypass vulnerability in Pega Platform that allows attackers to circumvent local password checks, potential...

Jul 25, 2022
CVE-2021-42338
9.8

CVE-2021-42338 is an authentication bypass vulnerability in 4MOSAn GCB Doctor's login page that allows unauthenticated attackers to inject malicious c...

Nov 19, 2021
CVE-2021-3044
9.8

CVE-2021-3044 is an improper authorization vulnerability in Palo Alto Networks Cortex XSOAR that allows remote unauthenticated attackers with network ...

Jun 22, 2021
CVE-2021-32619
9.8

This vulnerability allows Deno modules imported dynamically via import() or new Worker to bypass network and file system permission checks when static...

May 28, 2021
CVE-2025-66301
EPSS 27.2% 9.6

This vulnerability allows editors with limited permissions in Grav CMS to modify form processing logic by manipulating YAML frontmatter in POST reques...

Dec 1, 2025
CVE-2025-29922
9.6

This vulnerability in kcp allows attackers to create or delete objects in any arbitrary target workspace via the APIExport VirtualWorkspace, bypassing...

Mar 20, 2025
CVE-2021-3616
9.4

This vulnerability in Lenovo Smart Camera models X3, X5, and C2E allows unauthorized users to access device information, modify firmware, and change d...

Aug 17, 2021
CVE-2026-24305
9.3

This critical vulnerability in Azure Entra ID (formerly Azure Active Directory) allows attackers to elevate privileges within cloud environments. Atta...

Jan 22, 2026
CVE-2026-22252
9.1

This critical vulnerability in LibreChat allows authenticated users to execute arbitrary shell commands as root within the container via a single API ...

Jan 12, 2026
CVE-2025-65021
9.1

An Insecure Direct Object Reference (IDOR) vulnerability in Rallly allows any authenticated user to finalize polls they don't own by manipulating the ...

Nov 19, 2025
CVE-2025-53792
9.1

This is an elevation of privilege vulnerability in Azure Portal that allows authenticated users to gain unauthorized administrative access. It affects...

Aug 7, 2025
CVE-2025-29927
EPSS 92.9% 9.1

This CVE describes an authorization bypass vulnerability in Next.js middleware. Attackers can bypass authorization checks by sending requests with the...

Mar 21, 2025
CVE-2024-13241
9.1

This CVE describes an Improper Authorization vulnerability in Drupal Open Social that allows attackers to collect data from common resource locations ...

Jan 9, 2025
CVE-2024-33749
9.1

DedeCMS V5.7.114 contains an improper authorization vulnerability in mail_file_manage.php that allows attackers to delete any file on the server. This...

May 6, 2024
CVE-2023-2227
9.1

CVE-2023-2227 is an improper authorization vulnerability in Modoboa email management software that allows authenticated users to access administrative...

Apr 21, 2023
CVE-2022-38375
9.1

CVE-2022-38375 is an improper authorization vulnerability in Fortinet FortiNAC that allows unauthenticated attackers to perform administrative operati...

Feb 16, 2023
CVE-2021-28500
9.1

This vulnerability in Arista EOS allows local users with 'nopassword' configuration to gain unrestricted access to network devices due to incorrect AA...

Jan 14, 2022
CVE-2021-28506
9.1

CVE-2021-28506 is an authentication bypass vulnerability in Arista EOS gNOI APIs that allows unauthorized factory resets of network devices. This affe...

Jan 14, 2022
CVE-2021-41974
9.1

CVE-2021-41974 is an authentication bypass vulnerability in Tad Book3 that allows remote attackers to view and modify arbitrary book content without p...

Oct 8, 2021
CVE-2023-52139
9.0

This vulnerability in Misskey allows third-party applications to access endpoints or Websocket APIs without proper user permission due to incorrect 'k...

Dec 29, 2023
CVE-2025-4521
8.8

This vulnerability in the IDonate WordPress plugin allows authenticated attackers with Subscriber-level access or higher to escalate privileges to adm...

Feb 19, 2026
CVE-2026-26020
8.8

This vulnerability allows authenticated users of AutoGPT to execute arbitrary code on the backend server by bypassing disabled block restrictions. Att...

Feb 12, 2026
CVE-2026-22042
8.8

This vulnerability in RustFS allows a principal with export-only IAM permissions to perform import operations, leading to unauthorized creation or mod...

Jan 8, 2026
CVE-2025-64065
8.8

This vulnerability allows any authenticated low-privileged user in Primakon Pi Portal to impersonate any other user, including administrators, by expl...

Nov 25, 2025
CVE-2025-64751
8.8

OpenFGA versions 1.4.0 to 1.11.0 have an improper policy enforcement vulnerability in Check and ListObject calls. This allows attackers to bypass auth...

Nov 21, 2025
CVE-2025-64655
8.8

This vulnerability allows unauthorized attackers to elevate privileges in Dynamics OmniChannel SDK Storage Containers through improper authorization c...

Nov 20, 2025

About CWE-285 (CWE-285)

Our database tracks 301 CVEs classified as CWE-285, with 44 rated critical and 147 rated high severity. The average CVSS score for CWE-285 vulnerabilities is 7.2.

External reference: View CWE-285 on MITRE CWE →

Monitor CWE-285 Vulnerabilities

Get alerted when new CWE-285 CVEs affect your infrastructure.

Start Monitoring Free