CWE-863: Incorrect Authorization

This vulnerability allows remote attackers with low-privileged authorization tokens to escalate privileges on Autel MaxiCharger AC Wallbox Commercial ...

The AI Engine WordPress plugin (versions 2.8.0-2.8.3) has a missing capability check that allows authenticated users with subscriber-level access or h...

This vulnerability allows any XWiki user with edit rights on an App Within Minutes application to escalate privileges to programming rights, leading t...

An incorrect authorization vulnerability in Drupal Commerce Eurobank (Redirect) module allows attackers to misuse functionality they shouldn't have ac...

An incorrect authorization vulnerability in TCMAN's GIM v11 allows unauthenticated attackers to create privileged user accounts via a POST request to ...

This vulnerability allows authenticated users with read-only permissions in Apache Superset to take ownership of dashboards, charts, or datasets. This...

CVE-2025-46265 is an improper authorization vulnerability in F5OS where remotely authenticated users (via LDAP, RADIUS, or TACACS+) may be granted hig...

This vulnerability allows attackers to bypass authorization checks in Hitachi Vantara Pentaho Business Analytics Server, potentially accessing unautho...

This vulnerability allows authenticated Cassandra users to bypass Role-Based Access Control (RBAC) and escalate privileges in systems running the Inst...

CVE-2024-57434 is an incorrect access control vulnerability in macrozheng mall-tiny 1.0.1 where default imported test users are granted super administ...

This vulnerability in Qlik Sense Enterprise for Windows allows unprivileged users with network access to create connection objects that execute arbitr...

A privilege escalation vulnerability in Veeam Backup & Replication allows authenticated low-privileged users to remotely start agents in server mode a...

The Victure RX1800 WiFi 6 Router has Telnet enabled by default with admin/admin credentials, allowing attackers on the local network to gain root acce...

The Victure RX1800 WiFi 6 Router has a vulnerability where attackers within Wi-Fi range can derive the default Wi-Fi password using the last 4 octets ...

This vulnerability in Click Studios Passwordstate allows authenticated users to escalate their permissions when editing folders, potentially gaining u...

Chamilo LMS 1.11.26 has an incorrect access control vulnerability in the profile management component that allows non-admin users to manipulate sensit...

This vulnerability allows authenticated users in Checkmk monitoring systems to bypass two-factor authentication (2FA) via the REST API. Attackers with...

This vulnerability allows authenticated attackers to manipulate API parameters in Symphony XTS Web Trading and Mobile Trading platforms, potentially l...

This vulnerability in Italtel Embrace 1.6.4 exposes user access tokens in URL query strings via GET requests, allowing attackers to steal session cred...

This vulnerability in Siemens SINEC NMS allows authenticated attackers to bypass authorization checks and elevate their privileges within the applicat...

Nimble Commander has a privilege escalation vulnerability where the PrivilegedIOHelperV2 server fails to properly validate client authorization before...

This vulnerability allows attackers to gain root-level access to AdTran SRG 834-5 devices during initial setup when SSH is enabled with default admin/...

This vulnerability in Evmos allows users to create vesting accounts funded by arbitrary third-party addresses without their permission. Attackers coul...

This vulnerability in FreeIPA allows attackers to bypass constrained delegation rules in Kerberos S4U2Proxy requests, enabling unauthorized service im...

This vulnerability in the Login/Signup Popup plugin for WordPress allows authenticated users with Subscriber-level access or higher to modify arbitrar...

This vulnerability allows attackers with access to Devolutions Server's PAM JIT elevation feature to escalate privileges to unauthorized groups via cr...

This vulnerability allows attackers to bypass access controls in the School Fees Management System v1.0, enabling privilege escalation to administrati...

This vulnerability in facileManager allows non-admin users to escalate their privileges to super user/admin level by manipulating profile update reque...

This vulnerability in Rancher 2.x allows users with namespace access to move namespaces between projects without proper authorization. It affects Ranc...

The Fancy Product Designer WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level permissions to mo...

This CVE-2023-38218 vulnerability in Adobe Commerce allows authenticated attackers to bypass authorization controls, potentially exposing sensitive in...

This CVE describes an incorrect authorization vulnerability in FortiMail webmail that allows authenticated attackers to log into other users' accounts...

This vulnerability in ProIntegra Uptime DC software allows regular users to change passwords for all other users, including administrators, leading to...

This vulnerability allows low-privileged users to execute restricted actions intended only for high-privileged users due to improper authentication in...

This vulnerability in TapHome's core platform allows authenticated low-privileged users to change other users' passwords without authorization. Attack...

This vulnerability allows Firefox/Thunderbird extensions to bypass permission prompts when opening external schemes (like file://, mailto:, etc.), ena...

CVE-2022-46308 is an authorization bypass vulnerability in SGUDA U-Lock central lock control service's user management function. Remote attackers with...

A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows authenticated users to execute arbitrary commands on other users' accounts via a...

This vulnerability allows unauthorized users to generate internal reports in MyQ Solution Print Server and Central Server by accessing a direct URL, b...

This vulnerability allows low-privileged users to upload and install packages, potentially leading to remote code execution on affected StruxureWare D...

This vulnerability in Hitachi Vantara Pentaho Business Analytics Server allows unauthorized users to access data source management functions due to im...

This vulnerability allows network-adjacent attackers to bypass authentication on NETGEAR R6700v3 routers by exploiting incorrect string matching logic...

Delta Electronics InfraSuite Device Master versions before 1.0.5 contain an improper access control vulnerability in the Device-Gateway service. Attac...

The ProfileGrid WordPress plugin before version 5.3.1 contains an authorization bypass vulnerability in its password reset functionality. This allows ...

This vulnerability in SaltStack Salt allows users with locked accounts to continue executing Salt commands if they were previously authenticated. It a...

This vulnerability in ZTE's ZXMP M721 product involves incorrect SFTP folder permission reporting (showing 666 instead of actual permissions), allowin...

CVE-2021-42192 is an incorrect access control vulnerability in Konga v0.14.9 that allows authenticated users to escalate privileges to admin level thr...

CVE-2022-0981 is an authorization bypass vulnerability in Quarkus's RestEasy Reactive component where user state and permissions can leak between web ...

This vulnerability allows any authenticated user in Keycloak to create new default user accounts via the administrative REST API, even when new user r...

This vulnerability allows attackers to bypass iframe sandbox navigation restrictions in Google Chrome, potentially enabling malicious websites to perf...