CWE-863: Incorrect Authorization

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that allows unauthenticated attackers to execute arbitra...

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile app, enabling them to control smart devices belon...

This critical vulnerability affects Cambium Networks wireless devices, allowing attackers to bypass authorization checks on API functions. Attackers c...

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesheets, enabling script execution and top-level fram...

OpenClaw gateway versions before 2026.2.14 have an authorization bypass vulnerability where authenticated clients can manipulate node.invoke parameter...

This critical vulnerability in Oracle Agile PLM Framework allows authenticated attackers with low privileges to completely compromise the system via H...

This vulnerability exposes sensitive session and user data through Direct Web Remoting API endpoints, allowing authenticated administrators to obtain ...

This vulnerability in XWiki Platform allows privilege escalation through macro execution context manipulation. When using the include macro, content e...

This critical vulnerability in Oracle Hospitality Simphony Enterprise Server allows authenticated attackers with low privileges to remotely compromise...

This vulnerability in XWiki Platform allows attackers to execute arbitrary wiki content with the privileges of the TipsPanel author by creating a mali...

This CVE allows authenticated users in XWiki Platform to execute arbitrary code with the privileges of the XWiki.ClassSheet document author, potential...

CVE-2021-26753 is an authenticated remote code execution vulnerability in NeDi network management software. An authenticated attacker can inject PHP c...

This vulnerability in the XCloner WordPress plugin allows authenticated attackers to modify arbitrary files, including critical PHP files like wp-conf...

This vulnerability allows attackers to bypass allowlist restrictions in Nextcloud Talk by changing their display name to match an allowlisted user ID....

This vulnerability allows attackers to bypass authorization in PlaciPy placement management systems by manipulating JWT claims. Attackers can escalate...

CVE-2026-23837 is an authentication bypass vulnerability in MyTube that allows unauthenticated attackers to access protected administrative functions....

This critical vulnerability allows unauthenticated attackers to enable Telnet service and gain root access with blank password on Totolink X5000R rout...

CVE-2025-55469 is an incorrect access control vulnerability in youlai-boot v2.21.1 that allows attackers to bypass authentication and escalate privile...

CVE-2025-41346 is an authorization bypass vulnerability in WinPlus v24.11.27 that allows attackers to impersonate any user by knowing their numerical ...

This critical vulnerability in WSO2 products allows attackers to bypass authentication and authorization checks for certain REST APIs, enabling unauth...

This vulnerability allows unauthenticated remote attackers to modify server property files in IBM Jazz Foundation, potentially enabling unauthorized a...

OpenFGA versions 1.9.3 to 1.9.4 contain an improper policy enforcement vulnerability in Check and ListObject calls. This allows attackers to bypass au...

CVE-2025-49825 is a critical authentication bypass vulnerability in Teleport Community Edition that allows remote attackers to gain unauthorized acces...

This vulnerability in MediaTek WLAN AP drivers allows attackers to inject arbitrary packets without proper permission checks, enabling remote privileg...

This vulnerability allows attackers to reset any user's password via a flawed SOAP admin service in WSO2 products, leading to complete account takeove...

This vulnerability in Vasion Print (formerly PrinterLogic) allows attackers to install malicious extensions by exploiting insecure HTTP permission met...

This vulnerability allows attackers to bypass authorization controls in Drupal's REST & JSON API Authentication module, enabling forceful browsing to ...

CVE-2024-56431 is a disputed vulnerability in libtheora's huffdec.c where oc_huff_tree_unpack contains an invalid negative left shift operation. The v...

A misconfiguration in the fingerprint authentication mechanism of the Binance mobile app allows attackers to bypass authentication when adding a new f...

Lylme Spage v1.9.5 has an authentication bypass vulnerability due to missing login attempt limits and static verification codes. Attackers can brute-f...

WTCMS 1.0 has an incorrect access control vulnerability in the HomebaseController that allows attackers to bypass authentication and authorization mec...

Money Manager EX WebApp version 1.2.2 has an access control vulnerability where the redirect_if_not_loggedin function doesn't properly terminate execu...

CVE-2024-7108 is an incorrect authorization vulnerability in National Keep Cyber Security Services CyberMath that allows attackers to access functiona...

This vulnerability allows unauthenticated attackers to retrieve the apmib configuration file containing administrative credentials from TOTOLINK N350R...

HaloITSM versions up to 2.146.1 have a SAML XML Signature Wrapping vulnerability that allows anonymous attackers to impersonate any user by knowing th...

An improper access control vulnerability in Calibre e-book management software allows unauthenticated attackers to execute arbitrary code remotely. Th...

This vulnerability allows unauthenticated attackers to gain administrative access to affected systems by exploiting a logic flaw in the user registrat...

CVE-2024-36536 is an insecure permissions vulnerability in fabedge v0.8.1 that allows attackers to access service account tokens. This enables privile...

CVE-2023-38389 is an incorrect authorization vulnerability in the Artbees JupiterX Core WordPress plugin that allows unauthenticated attackers to bypa...

This CVE describes an incorrect authorization vulnerability in Apache Submarine Server Core that allows unauthorized access to sensitive functionality...

This CVE describes an authorization bypass vulnerability in lunary-ai/lunary version v1.2.13 that allows unauthorized users to access and manipulate p...

This vulnerability allows attackers to bypass fingerprint authentication in Phone Cleaner: Boost & Clean v2.2.0 due to incorrect access control in a d...

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Diño Physics School Assistant version 2.3. Attackers can manipulate th...

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of the Advanced Plugins reportsstatistics ...

The Web3 WordPress plugin before version 3.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to log in as any ...

CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset the appl...

CVE-2023-34051 is an authentication bypass vulnerability in VMware Aria Operations for Logs that allows unauthenticated attackers to inject files and ...

An access control vulnerability in Extreme Networks Switch Engine (EXOS) allows attackers to gain escalated privileges via crafted telnet commands thr...

This vulnerability allows attackers to bypass authorization checks in KernelSU, a root solution for Android devices. Attackers could gain unauthorized...

CVE-2023-40309 is an authentication bypass vulnerability in SAP CommonCryptoLib that allows authenticated users to escalate privileges by bypassing au...