CWE-862: Missing Authorization

CVE-2025-45854 is a critical remote code execution vulnerability in JEHC-BPM 2.0.1 that allows attackers to execute arbitrary commands via the /server...

This vulnerability allows any authenticated user in Coolify to attach existing private SSH keys to their own server configuration. If the attacker's s...

This critical vulnerability in the WordPress Debug Tool plugin allows attackers to upload malicious web shell files to web servers without proper auth...

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress sites using vulnerable InPost plugins. On Windows ...

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License Server that allows unauthenticated attackers to ex...

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that allows remote attackers to execute arbitrary code. ...

This vulnerability allows authenticated attackers with workflow write access in one project to create and manage sites on servers belonging to other p...

An authenticated attacker in SAP CRM and SAP S/4HANA can exploit a flaw in the Scripting Editor's generic function module to execute arbitrary SQL sta...

This vulnerability in Open edX Platform allows CourseLimitedStaffRole users to access and edit courses in Studio when granted organization-level permi...

This vulnerability in Coolify allows any authenticated user to escalate privileges to any role, including owner, and remove all other team members. At...

SimpleHelp remote support software versions 5.5.7 and earlier contain an authorization vulnerability where low-privilege technicians can create API ke...

The ThemeGrill Demo Importer WordPress plugin versions 1.3.4 through 1.6.1 contain an authentication bypass vulnerability that allows authenticated at...

This vulnerability in Conduit's Client-Server API allows unauthorized users to manipulate room aliases, including moving the #admins alias to a contro...

This vulnerability in the Support Genix WordPress plugin allows attackers to upload arbitrary files without proper authorization. It affects all WordP...

CVE-2024-31997 is a critical remote code execution vulnerability in XWiki Platform where UI extension parameters are improperly executed as Velocity c...

This vulnerability allows remote code execution in XWiki Platform via PDF export templates. Attackers can execute arbitrary code on affected XWiki ins...

This vulnerability in XWiki Platform allows users with edit rights to modify translations without proper authorization, bypassing script or admin righ...

A missing authorization vulnerability in Synology Surveillance Station's webapi component allows authenticated users to perform unauthorized actions. ...

CVE-2023-34063 is a missing access control vulnerability in VMware Aria Automation that allows authenticated malicious actors to access remote organiz...

The Frontend File Manager WordPress plugin up to version 18.2 has an authenticated settings change vulnerability. Subscriber-level attackers can modif...

This vulnerability allows unauthenticated users to bypass ACL (Access Control List) authorizations in HashiCorp Nomad clusters where mTLS (mutual TLS)...

This vulnerability in RubyGems.org allowed unauthorized users to remove and replace certain gems from the package registry. It affected gems with dash...

SimStudio versions below 0.5.74 have MongoDB tool endpoints that accept arbitrary connection parameters without authentication or host restrictions. T...

This vulnerability allows remote attackers to bypass authentication on GFI Archiver installations without requiring credentials. The flaw exists in th...

CVE-2025-70150 is a critical missing authentication vulnerability in CodeAstro Membership Management System 1.0 that allows unauthenticated attackers ...

The YayMail WordPress plugin has a privilege escalation vulnerability that allows authenticated attackers with Shop Manager access or higher to modify...

The WP Duplicate plugin for WordPress has a critical vulnerability that allows authenticated attackers with subscriber-level access to upload arbitrar...

This CVE describes a Missing Authorization vulnerability in the BA Book Everything WordPress plugin that allows attackers to bypass access controls. I...

This CVE describes a Missing Authorization vulnerability in the Registration & Login with Mobile Phone Number for WooCommerce WordPress plugin. It all...

This CVE describes a missing authorization vulnerability in the Aruba HiSpeed Cache WordPress plugin that allows attackers to access functionality not...

CVE-2025-14360 is a missing authorization vulnerability in the Kaira Blockons WordPress plugin that allows attackers to access functionality not prope...

This CVE describes a missing authorization vulnerability in the REHub Framework WordPress plugin that allows attackers to access functionality not pro...

This CVE describes a Missing Authorization vulnerability in the InWave Jobs WordPress plugin that allows attackers to bypass access controls. Attacker...

CVE-2023-54327 is an authentication bypass vulnerability in Tinycontrol LAN Controller 1.58a that allows unauthenticated attackers to change administr...

This CVE describes a Missing Authorization vulnerability in the JayBee Twitch Player WordPress plugin (ttv-easy-embed-player) that allows attackers to...

CVE-2023-53923 is a critical privilege escalation vulnerability in UliCMS that allows unauthenticated attackers to create administrative accounts with...

The LazyTasks WordPress plugin has an unauthenticated privilege escalation vulnerability that allows attackers to change any user's email address via ...

CVE-2023-53740 is an authentication bypass vulnerability in Screen SFT DAB 1.9.3 that allows attackers to change the admin password without authentica...

This vulnerability allows unauthenticated attackers to modify critical WordPress configuration options through the Frontend Admin plugin. Attackers ca...

This CVE describes a missing authorization vulnerability in the UsersWP WordPress plugin that allows attackers to bypass access controls. It affects a...

The Simple User Capabilities WordPress plugin has a critical privilege escalation vulnerability that allows unauthenticated attackers to elevate any u...

This vulnerability allows unauthenticated attackers to read arbitrary email logs stored by the Post SMTP WordPress plugin, including sensitive emails ...

Nagios XI versions before 2024R1.1.2 have a missing authorization vulnerability when 'Allow Insecure Logins' is enabled. This allows any user to creat...

This CVE describes a Missing Authorization vulnerability in the MSTW CSV EXPORTER WordPress plugin that allows attackers to bypass access controls and...

This CVE describes a Missing Authorization vulnerability in the Referral Link Tracker WordPress plugin that allows attackers to bypass access controls...

This vulnerability allows unauthenticated attackers to modify WordPress site options via the MultiLoca WooCommerce plugin, potentially enabling them t...

This vulnerability allows unauthenticated attackers to upload arbitrary ZIP files containing malicious plugins to WordPress sites using the Goza theme...

This CVE describes a Missing Authorization vulnerability in the WordPress Login with Phone Number plugin that allows attackers to bypass authenticatio...

The Aikaan IoT management platform v3.25.0325-5-g2e9c59796 has a critical authentication bypass vulnerability where the sign-up API endpoint remains a...

This vulnerability allows unauthenticated attackers to change any user's email address in the Taxi Booking Manager for Woocommerce plugin, including a...