Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-16126

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-18 Jul, 2026 | 15:45
Updated At-18 Jul, 2026 | 15:45
Rejected At-
Credits

zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:18 Jul, 2026 | 15:45
Updated At:18 Jul, 2026 | 15:45
Rejected At:
▼CVE Numbering Authority (CNA)
zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Affected Products
Vendor
zevorn
Product
rt-claw
CPEs
  • cpe:2.3:a:zevorn:rt-claw:*:*:*:*:*:*:*:*
Modules
  • Swarm RPC Receiver
Versions
Affected
  • 0.1
  • 0.2.0
Problem Types
TypeCWE IDDescription
CWECWE-863Incorrect Authorization
CWECWE-285Improper Authorization
Type: CWE
CWE ID: CWE-863
Description: Incorrect Authorization
Type: CWE
CWE ID: CWE-285
Description: Improper Authorization
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.07.3HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.07.5N/A
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 7.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Eric-y (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-07-17 00:00:00
VulDB entry created2026-07-17 02:00:00
VulDB entry last update2026-07-17 18:13:35
Event: Advisory disclosed
Date: 2026-07-17 00:00:00
Event: VulDB entry created
Date: 2026-07-17 02:00:00
Event: VulDB entry last update
Date: 2026-07-17 18:13:35
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/vuln/379838
vdb-entry
technical-description
https://vuldb.com/vuln/379838/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-16126
third-party-advisory
https://vuldb.com/submit/856870
third-party-advisory
https://vuldb.com/submit/856871
third-party-advisory
https://github.com/zevorn/rt-claw/issues/135
issue-tracking
https://github.com/zevorn/rt-claw/issues/137
exploit
issue-tracking
https://github.com/zevorn/rt-claw/
product
Hyperlink: https://vuldb.com/vuln/379838
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/379838/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-16126
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/856870
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/856871
Resource:
third-party-advisory
Hyperlink: https://github.com/zevorn/rt-claw/issues/135
Resource:
issue-tracking
Hyperlink: https://github.com/zevorn/rt-claw/issues/137
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/zevorn/rt-claw/
Resource:
product
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:18 Jul, 2026 | 16:17
Updated At:18 Jul, 2026 | 16:17

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.5MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Secondary
Version: 4.0
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-285Primarycna@vuldb.com
CWE-863Primarycna@vuldb.com
CWE ID: CWE-285
Type: Primary
Source: cna@vuldb.com
CWE ID: CWE-863
Type: Primary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/zevorn/rt-claw/cna@vuldb.com
N/A
https://github.com/zevorn/rt-claw/issues/135cna@vuldb.com
N/A
https://github.com/zevorn/rt-claw/issues/137cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-16126cna@vuldb.com
N/A
https://vuldb.com/submit/856870cna@vuldb.com
N/A
https://vuldb.com/submit/856871cna@vuldb.com
N/A
https://vuldb.com/vuln/379838cna@vuldb.com
N/A
https://vuldb.com/vuln/379838/cticna@vuldb.com
N/A
Hyperlink: https://github.com/zevorn/rt-claw/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/zevorn/rt-claw/issues/135
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/zevorn/rt-claw/issues/137
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-16126
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/856870
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/856871
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/379838
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/379838/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

144Records found

CVE-2025-13806
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.10%
||
7 Day CHG~0.00%
Published-01 Dec, 2025 | 04:02
Updated-24 Feb, 2026 | 06:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nutzam NutzBoot Transaction API EthModule.java improper authorization

A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-nutzamnutzam
Product-nutzbootNutzBoot
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-13063
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 26.37%
||
7 Day CHG~0.00%
Published-12 Nov, 2025 | 21:02
Updated-14 Nov, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DinukaNavaratna Dee Store authorization

A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected.

Action-Not Available
Vendor-DinukaNavaratna
Product-Dee Store
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2013-2198
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.73% / 74.99%
||
7 Day CHG~0.00%
Published-30 Jan, 2020 | 20:35
Updated-06 Aug, 2024 | 15:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.

Action-Not Available
Vendor-login_security_projectLogin Security
Product-login_securityLogin Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-28872
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.32% / 87.21%
||
7 Day CHG~0.00%
Published-12 Apr, 2021 | 13:35
Updated-04 Aug, 2024 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.

Action-Not Available
Vendor-monitorrn/a
Product-monitorrn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-14236
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.26% / 81.02%
||
7 Day CHG~0.00%
Published-12 Sep, 2019 | 17:43
Updated-05 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution.

Action-Not Available
Vendor-stn/a
Product-stm32l1_firmwarestm32l4_firmwarestm32f7stm32h7stm32l4stm32f4stm32l0_firmwarestm32h7_firmwarestm32f7_firmwarestm32l0stm32f4_firmwarestm32l1n/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-4990
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 27.29%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 21:27
Updated-24 Apr, 2026 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
chatwoot Signup Endpoint login improper authorization

A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argument signupEnabled with the input true leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/a
Product-chatwoot
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2020-27156
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.18% / 80.36%
||
7 Day CHG~0.00%
Published-15 Oct, 2020 | 04:34
Updated-04 Aug, 2024 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Veritas APTARE versions prior to 10.5 did not perform adequate authorization checks. This vulnerability could allow for remote code execution by an unauthenticated user.

Action-Not Available
Vendor-n/aVeritas Technologies LLC
Product-aptaren/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-10908
Matching Score-4
Assigner-WSO2 LLC
ShareView Details
Matching Score-4
Assigner-WSO2 LLC
CVSS Score-7.3||HIGH
EPSS-0.23% / 13.81%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 09:01
Updated-27 May, 2026 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.

Action-Not Available
Vendor-WSO2 LLC
Product-identity_serverWSO2 Carbon MagicLink Authenticator ModuleWSO2 Identity Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-34035
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.3||HIGH
EPSS-0.57% / 43.27%
||
7 Day CHG~0.00%
Published-18 Jul, 2023 | 15:29
Updated-25 Oct, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.) Specifically, an application is vulnerable when all of the following are true: * Spring MVC is on the classpath * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet) * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints An application is not vulnerable if any of the following is true: * The application does not have Spring MVC on the classpath * The application secures no servlets other than Spring MVC’s DispatcherServlet * The application uses requestMatchers(String) only for Spring MVC endpoints

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-spring_securitySpring Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-10374
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.33% / 25.23%
||
7 Day CHG~0.00%
Published-13 Sep, 2025 | 19:02
Updated-15 Sep, 2025 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shenzhen Sixun Business Management System OperatorStop improper authorization

A security flaw has been discovered in Shenzhen Sixun Business Management System 7/11. This affects an unknown part of the file /Adm/OperatorStop. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.

Action-Not Available
Vendor-Shenzhen Sixun
Product-Business Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2025-0484
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.54% / 41.59%
||
7 Day CHG~0.00%
Published-15 Jan, 2025 | 20:00
Updated-27 Feb, 2025 | 02:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fanli2012 native-php-cms Backend sysconfig_doedit.php improper authorization

A vulnerability was found in Fanli2012 native-php-cms 1.0 and classified as critical. This issue affects some unknown processing of the file /fladmin/sysconfig_doedit.php of the component Backend. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-fanli2012Fanli2012
Product-native-php-cmsnative-php-cms
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2026-4617
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 27.08%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 00:52
Updated-24 Apr, 2026 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Patients Waiting Area Queue Management System Patient Check-In api_patient_checkin.php ValidateToken improper authorization

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-SourceCodester
Product-Patients Waiting Area Queue Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2019-14237
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.92% / 85.50%
||
7 Day CHG~0.00%
Published-12 Sep, 2019 | 17:56
Updated-05 Aug, 2024 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by observing CPU registers and the effect of code/instruction execution.

Action-Not Available
Vendor-nxpn/a
Product-kinetis_k8x_firmwarekinetis_k8xkinetis_kv1x_firmwarekinetis_kv1xkinetis_kv3xkinetis_kv3x_firmwaren/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-25055
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 35.46%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 20:24
Updated-04 Aug, 2024 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. The persona service allows attackers (who control an unprivileged SecureFolder process) to bypass admin restrictions in KnoxContainer. The Samsung ID is SVE-2020-18133 (August 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-3762
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.50% / 39.27%
||
7 Day CHG~0.00%
Published-08 Mar, 2026 | 18:32
Updated-11 Mar, 2026 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Client Database Management System Endpoint superadmin_delete_manager.php improper authorization

A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-lerouxyxchireSourceCodester
Product-client_database_management_systemClient Database Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2001-1155
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.03% / 78.84%
||
7 Day CHG~0.00%
Published-25 Jun, 2002 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-3734
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 28.68%
||
7 Day CHG~0.00%
Published-08 Mar, 2026 | 13:02
Updated-11 Mar, 2026 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Client Database Management System Endpoint fetch_manager_details.php improper authorization

A flaw has been found in SourceCodester Client Database Management System 1.0. Affected is an unknown function of the file /fetch_manager_details.php of the component Endpoint. This manipulation of the argument manager_id causes improper authorization. The attack can be initiated remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-lerouxyxchireSourceCodester
Product-client_database_management_systemClient Database Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2026-3764
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 28.68%
||
7 Day CHG~0.00%
Published-08 Mar, 2026 | 19:32
Updated-10 Mar, 2026 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Client Database Management System superadmin_user_update.php improper authorization

A vulnerability was determined in SourceCodester Client Database Management System 1.0. The impacted element is an unknown function of the file /superadmin_user_update.php. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-lerouxyxchireSourceCodester
Product-client_database_management_systemClient Database Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2020-21124
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.18% / 80.36%
||
7 Day CHG~0.00%
Published-15 Sep, 2021 | 16:16
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.

Action-Not Available
Vendor-ureport_projectn/a
Product-ureportn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-18701
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.28% / 81.16%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 17:55
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.

Action-Not Available
Vendor-talelinn/a
Product-lin-cms-flaskn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-19301
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.50% / 82.91%
||
7 Day CHG~0.00%
Published-03 Aug, 2021 | 21:24
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the vae_admin_rule database table of vaeThink v1.0.1 allows attackers to execute arbitrary code via a crafted payload in the condition parameter.

Action-Not Available
Vendor-vaethinkn/a
Product-vaethinkn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-20466
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.80% / 76.07%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 03:57
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.

Action-Not Available
Vendor-white_shark_systems_projectn/a
Product-white_shark_systemsn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-16904
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-5.3||MEDIUM
EPSS-3.37% / 87.41%
||
7 Day CHG+0.25%
Published-16 Oct, 2020 | 22:17
Updated-23 Feb, 2026 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Functions Elevation of Privilege Vulnerability

<p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p>

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_functionsAzure Functions
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-1745
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.6||HIGH
EPSS-4.84% / 91.01%
||
7 Day CHG~0.00%
Published-28 Apr, 2020 | 00:00
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

Action-Not Available
Vendor-undertow-ioRed Hat, Inc.
Product-undertowundertow
CWE ID-CWE-285
Improper Authorization
CVE-2023-27594
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.55% / 42.45%
||
7 Day CHG~0.00%
Published-17 Mar, 2023 | 19:56
Updated-25 Feb, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cilium vulnerable to potential network policy bypass when routing IPv6 traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from the host on which Cilium is running. As a consequence, network policies for that cluster might be bypassed, depending on the specific network policies enabled. This issue only manifests when Cilium is routing IPv6 traffic and NodePorts are used to route traffic to pods. IPv6 and endpoint routes are both disabled by default. The problem has been fixed and is available on versions 1.11.15, 1.12.8, and 1.13.1. As a workaround, disable IPv6 routing.

Action-Not Available
Vendor-ciliumcilium
Product-ciliumcilium
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-1815
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.50% / 39.61%
||
7 Day CHG~0.00%
Published-02 Mar, 2025 | 12:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pbrong hrms resource.go HrmsDB improper authorization

A vulnerability, which was classified as critical, was found in pbrong hrms up to 1.0.1. This affects the function HrmsDB of the file \resource\resource.go. The manipulation of the argument user_cookie leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-pbrong
Product-hrms
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2020-13957
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-78.87% / 99.55%
||
7 Day CHG~0.00%
Published-13 Oct, 2020 | 18:28
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-solrApache Solr
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-12925
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.43% / 34.80%
||
7 Day CHG~0.00%
Published-10 Nov, 2025 | 01:32
Updated-24 Feb, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
rymcu forest UserDicController.java deleteDic authorization

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

Action-Not Available
Vendor-rymcurymcu
Product-forestforest
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-11030
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 28.20%
||
7 Day CHG~0.00%
Published-Not Available
Updated-29 Sep, 2025 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was detected in Tutorials-Website Employee Management System up to 611887d8f8375271ce8abc704507d46340837a60. Impacted is an unknown function of the file /admin/all-applied-leave.php of the component HTTP Request Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2020-11844
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-10||CRITICAL
EPSS-2.01% / 78.63%
||
7 Day CHG~0.00%
Published-29 May, 2020 | 21:15
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization vulnerability in the Micro Focus Container Deployment Foundation affecting multiple products.

Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to 2019.11. - ArcSight Investigate. versions 2.4.0, 3.0.0 and 3.1.0. - ArcSight Transformation Hub. versions 3.0.0, 3.1.0, 3.2.0. - ArcSight Interset. version 6.0.0. - ArcSight ESM (when ArcSight Fusion 1.0 is installed). version 7.2.1. - Service Management Automation (SMA). versions 2018.05 to 2020.02 - Operation Bridge Suite (Containerized). Versions 2018.05 to 2020.02. - Network Operation Management. versions 2017.11 to 2019.11. - Data Center Automation Containerized. versions 2018.05 to 2019.11 - Identity Intelligence. versions 1.1.0 and 1.1.1. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.

Action-Not Available
Vendor-Micro FocusMicro Focus International Limited
Product-service_management_automation Operation Bridge Suite (Containerized)Network Operation ManagementService Management Automation (SMA)ArcSight IntersetHybrid Cloud ManagementArcSight ESM (when ArcSight FusionArcSight Investigate. versionsArcSight Transformation HubData Center Automation ContainerizedIdentity Intelligence. versions
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-13808
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.42% / 33.98%
||
7 Day CHG~0.00%
Published-01 Dec, 2025 | 05:02
Updated-04 Dec, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
orionsec orion-ops User Profile UserController.java update improper authorization

A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile Handler. This manipulation of the argument ID causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-orionsecorionsec
Product-orion-opsorion-ops
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2020-12053
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 48.19%
||
7 Day CHG~0.00%
Published-22 Jun, 2020 | 19:53
Updated-04 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key.

Action-Not Available
Vendor-unisysn/a
Product-stealthn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2020-10620
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 65.10%
||
7 Day CHG~0.00%
Published-14 May, 2020 | 20:39
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC communication does not include any credentials. This allows an attacker with network access to directly communicate with SoftPAC, including, for example, stopping the service remotely.

Action-Not Available
Vendor-opto22n/a
Product-softpac_projectOpto 22 SoftPAC Project
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2020-10516
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-9.8||CRITICAL
EPSS-1.59% / 72.93%
||
7 Day CHG~0.00%
Published-03 Jun, 2020 | 13:31
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control in GitHub Enterprise Server leading to privilege escalation of organization member

An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21 and was fixed in 2.20.9, 2.19.15, and 2.18.20. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-githubGitHub Enterprise Server
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2020-10534
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.21% / 64.98%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 22:14
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the GlobalBlocking extension before 2020-03-10 for MediaWiki through 1.34.0, an issue related to IP range evaluation resulted in blocked users re-gaining escalated privileges. This is related to the case in which an IP address is contained in two ranges, one of which is locally disabled.

Action-Not Available
Vendor-n/aWikimedia Foundation
Product-mediawikin/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-7489
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-9.8||CRITICAL
EPSS-5.28% / 91.65%
||
7 Day CHG~0.00%
Published-23 Dec, 2019 | 21:50
Updated-04 Aug, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in SonicWall Email Security appliance allow an unauthenticated user to perform remote code execution. This vulnerability affected Email Security Appliance version 10.0.2 and earlier.

Action-Not Available
Vendor-SonicWall Inc.
Product-email_security_applianceEmail Security Appliance
CWE ID-CWE-285
Improper Authorization
CVE-2019-12419
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-13.84% / 96.10%
||
7 Day CHG~0.00%
Published-06 Nov, 2019 | 20:18
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-retail_order_brokerflexcube_private_bankingcxfcommerce_guided_searchenterprise_manager_base_platformApache CXF
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-6855
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-7.3||HIGH
EPSS-0.95% / 57.42%
||
7 Day CHG~0.00%
Published-06 Jan, 2020 | 22:56
Updated-04 Aug, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controllers.

Action-Not Available
Vendor-n/a
Product-modicon_m580_bmep582040_firmwaremodicon_m580_bmeh582040modicon_m580_bmep583040_firmwaremodicon_m340_bmxp3420302_firmwaremodicon_m580_bmep583020modicon_m580_bmeh586040s_firmwaremodicon_m580_bmeh584040smodicon_m580_bmeh586040smodicon_m580_bmep586040modicon_m580_bmep584040s_firmwaremodicon_m580_bmep584040modicon_m580_bmeh586040modicon_m580_bmep582020modicon_m580_bmep583020_firmwaremodicon_m340_bmxp342000modicon_m340_bmxp341000modicon_m340_bmxp342020_firmwaremodicon_m340_bmxp3420102_firmwaremodicon_m580_bmep585040_firmwaremodicon_m580_bmep584040_firmwaremodicon_m580_bmep584040smodicon_m580_bmep583040ecostruxure_control_expertmodicon_m580_bmep582040modicon_m580_bmep584020_firmwaremodicon_m580_bmeh584040modicon_m580_bmep585040modicon_m580_bmeh584040_firmwareunity_promodicon_m340_bmxp3420302modicon_m580_bmep584020modicon_m580_bmeh584040s_firmwaremodicon_m580_bmep582040s_firmwaremodicon_m580_bmep582040smodicon_m580_bmeh582040_firmwaremodicon_m340_bmxp342020modicon_m340_bmxp341000_firmwaremodicon_m580_bmep581020_firmwaremodicon_m580_bmep581020modicon_m580_bmep582020_firmwaremodicon_m580_bmeh586040_firmwaremodicon_m340_bmxp342000_firmwaremodicon_m340_bmxp3420102modicon_m580_bmep586040_firmware EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10)
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-7192
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-88.21% / 99.75%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 16:17
Updated-27 Oct, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-22||Apply updates per vendor instructions.

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsphoto_stationQNAP NAS devices running Photo StationPhoto Station
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-7578
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.82% / 53.27%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 13:00
Updated-28 Aug, 2024 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alien Technology ALR-F800 cmd.php improper authorization

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been classified as critical. Affected is an unknown function of the file /var/www/cmd.php. The manipulation of the argument cmd leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Alien Technology, LLC.
Product-alr-f800alr-f800_firmwareALR-F800alr-f800
CWE ID-CWE-285
Improper Authorization
CVE-2024-3957
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.88% / 55.16%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 16:51
Updated-08 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booster for WooCommerce <= 7.1.8 - Unauthenticated Arbitrary Shortcode Execution

The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.

Action-Not Available
Vendor-boosterpluggablbooster
Product-booster_for_woocommerceBooster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Toolsbooster_for_woocommerce
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-7799
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.56% / 42.90%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 23:31
Updated-19 Aug, 2024 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Simple Online Bidding System users.php improper authorization

A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /simple-online-bidding-system/bidding/admin/users.php. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-simple_online_bidding_systemSimple Online Bidding Systemsimple_online_bidding_system
CWE ID-CWE-285
Improper Authorization
CVE-2026-44567
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.23% / 13.82%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 20:59
Updated-19 May, 2026 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Open WebUI Improper Authorization Control

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the default user role is set to pending. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either user or admin before that user is able to access the web application. This vulnerability is fixed in 0.1.124.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-602
Client-Side Enforcement of Server-Side Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-14690
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 20.78%
||
7 Day CHG~0.00%
Published-05 Jul, 2026 | 01:30
Updated-06 Jul, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Multi-Vendor Online Grocery Management System Users.php save_users improper authorization

A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function save_users of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-SourceCodester
Product-Multi-Vendor Online Grocery Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2022-22978
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-9.8||CRITICAL
EPSS-10.69% / 95.32%
||
7 Day CHG+0.65%
Published-19 May, 2022 | 00:00
Updated-03 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)NetApp, Inc.Oracle Corporation
Product-financial_services_crime_and_compliance_management_studiospring_securityactive_iq_unified_managerSpring Security
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-14753
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.87%
||
7 Day CHG~0.00%
Published-05 Jul, 2026 | 13:45
Updated-06 Jul, 2026 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mjperpinosa stumasy Note Handler/Assignment notes authorization

A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-mjperpinosa
Product-stumasy
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2018-18815
Matching Score-4
Assigner-TIBCO Software Inc.
ShareView Details
Matching Score-4
Assigner-TIBCO Software Inc.
CVSS Score-10||CRITICAL
EPSS-3.13% / 86.42%
||
7 Day CHG~0.00%
Published-07 Mar, 2019 | 22:00
Updated-16 Sep, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TIBCO JasperReports Server User Information Disclosure

The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability that theoretically allows unauthenticated users to bypass authorization checks for portions of the HTTP interface to the JasperReports Server. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0.

Action-Not Available
Vendor-TIBCO (Cloud Software Group, Inc.)
Product-jaspersoft_reporting_and_analyticsjasperreports_serverjaspersoftTIBCO Jaspersoft Reporting and Analytics for AWSTIBCO Jaspersoft for AWS with Multi-TenancyTIBCO JasperReports Server Community EditionTIBCO JasperReports Server for ActiveMatrix BPMTIBCO JasperReports Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-12204
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.15%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 01:15
Updated-15 Jun, 2026 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization

A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-n/a
Product-ShopXO
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-11462
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.34%
||
7 Day CHG~0.00%
Published-07 Jun, 2026 | 22:00
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chengdu Everbrite Network Technology BeikeShop Stripe Plugin StripeController.php callback improper authorization

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.

Action-Not Available
Vendor-Chengdu Everbrite Network Technology
Product-BeikeShop
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2022-39956
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
ShareView Details
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
CVSS Score-7.3||HIGH
EPSS-0.95% / 57.34%
||
7 Day CHG~0.00%
Published-20 Sep, 2022 | 00:00
Updated-03 Nov, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Partial rule set bypass in OWASP ModSecurity Core Rule Set for HTTP multipart requests using character encoding in the Content-Type or Content-Transfer-Encoding header

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

Action-Not Available
Vendor-owaspOWASPFedora ProjectDebian GNU/Linux
Product-fedoradebian_linuxowasp_modsecurity_core_rule_setModSecurity Core Rule Set
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CWE ID-CWE-863
Incorrect Authorization
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found