By weakness (CWE)

CWE-285: related vulnerabilities

CVEs classified under CWE-285. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

17 published vulnerabilities

  • CVE-2026-0072HIGH 7.8

    A missing permission check in Android's input method manager allows a local attacker with minimal privileges to escalate their access and take full control of the affected device. No user action is required to exploit this flaw, making it a practical risk in multi-user or compromised environments.

  • CVE-2026-10236HIGH 7.3

    A security flaw exists in SourceCodester Water Billing Management System version 1.0 that allows attackers to bypass authorization controls in the User Management system. An attacker can remotely manipulate user-related operations through the /classes/Users.php?f=save endpoint without needing credentials or user interaction. This means an unauthorized person could potentially create, modify, or access user accounts and associated data. Public disclosure of this vulnerability means attackers are likely already aware of and testing for it.

  • CVE-2026-10272MEDIUM 6.5

    A4M4's Student-Management-System contains an authorization flaw in its admin panel that allows unauthenticated attackers to manipulate a parameter called 'sid' in the deleteform.php file, potentially leading to unauthorized data modification or deletion. The vulnerability is network-accessible and does not require user interaction or special privileges to exploit. While the issue has been publicly disclosed and exploit code is available, the development team has not yet issued a patch or formal response.

  • CVE-2026-10211MEDIUM 6.3

    AstrBot version 4.23.6 contains a flaw in how it validates file system paths, allowing authenticated users to bypass access restrictions and read, modify, or delete files they shouldn't be able to access. An attacker with valid credentials can exploit this remotely without user interaction. The vulnerability has already been disclosed publicly, and exploit code may be available.

  • CVE-2026-10212MEDIUM 6.3

    A flaw in AstrBot version 4.24.2 allows an authenticated attacker to manipulate the session_id parameter in the astr_main_agent function, bypassing authorization checks. This means a logged-in user could potentially access or modify resources belonging to other users or perform actions they should not be permitted to perform. The vulnerability is remotely exploitable and public exploits are available.

  • CVE-2026-10269MEDIUM 6.3

    A vulnerability in decolua 9router allows an authenticated user to bypass authorization controls by manipulating the Host HTTP header. The flaw exists in the authentication logic of the dashboard guard component and can be exploited remotely by someone with valid login credentials. Affected versions up to 0.4.0 should be updated immediately to 0.4.1.

  • CVE-2026-10693MEDIUM 6.3

    SourceCodester Online Boat Reservation System version 1.0 contains a flaw in its administrative endpoints that fails to properly verify user permissions. An authenticated attacker can exploit this improper authorization to access or modify administrative functions they shouldn't have access to. The vulnerability requires an existing user account but can be exploited over the network without user interaction. The flaw affects multiple administrative endpoints, and exploit details have been publicly disclosed.

  • CVE-2026-10218MEDIUM 5.4

    A security flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to perform actions they shouldn't be authorized to perform. The vulnerability resides in the authentication logic of the application and can be exploited remotely by someone with valid login credentials. Because the flaw has been publicly disclosed, there's elevated risk that attackers may attempt to exploit it.

  • CVE-2026-10284MEDIUM 5.4

    A security flaw in DevaslanPHP project-management versions up to 2.0.0-beta1 allows authenticated users to bypass authorization controls when editing or deleting comments in ticket management workflows. An attacker with login credentials can manipulate comment-related functions to perform actions they shouldn't be authorized to perform, such as deleting or modifying comments belonging to other users. The issue resides in the Livewire handler component and can be exploited remotely without requiring additional user interaction.

  • CVE-2026-10285MEDIUM 5.4

    DevaslanPHP project-management versions up to 2.0.0-beta1 contain an authorization flaw in the ticket handler component. An authenticated user can manipulate ticket records in ways they should not be permitted to perform, potentially modifying or deleting ticket data without proper access controls. The vulnerability requires an existing login but can be exploited remotely over the network.

  • CVE-2026-10070MEDIUM 4.7

    A flaw in macrozheng mall versions up to 1.0.3 allows an authenticated administrator with high privileges to bypass authorization controls on the super admin password update endpoint. An attacker with admin credentials could manipulate requests to the /admin/update/ path and gain unauthorized access to sensitive administrative functions. The vulnerability requires valid admin-level authentication and cannot be exploited anonymously from the network.

  • CVE-2026-10154MEDIUM 4.3

    Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.

  • CVE-2026-10215MEDIUM 4.3

    A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.

  • CVE-2026-10282MEDIUM 4.3

    Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.

  • CVE-2026-10294MEDIUM 4.3

    PackageKit, a system library for package management on Linux, contains an authorization bypass vulnerability in versions up to 1.3.5. An authenticated attacker can manipulate the frontend-socket parameter in the API to gain unauthorized access to sensitive information. The vulnerability requires an existing user account to exploit but does not require user interaction. While the attack surface is somewhat limited by authentication requirements, the unauthorized information disclosure poses a real security concern for systems relying on PackageKit.

  • CVE-2026-41115MEDIUM 4.3

    Apache Kafka contains an authorization mismatch in its consumer group metadata API. The CONSUMER_GROUP_DESCRIBE operation checks for DESCRIBE permission on groups, but Kafka's documentation and the relevant design specification (KIP-848) incorrectly state it should check for READ permission. This inconsistency between code behavior and documentation can lead to misconfigured access controls—either granting unintended READ access to users who only have DESCRIBE permissions, or blocking legitimate access for users who rely on documentation-based ACL configurations. The vulnerability is not a code flaw but a documentation gap that can cause real-world security postures to diverge from intent.

  • CVE-2026-40963LOW 3.1

    Apache Airflow's UI structure_data endpoint was leaking metadata about linked workflows (DAGs) to users who shouldn't see them. An authenticated user with permission to view one workflow could discover the names and dependency relationships of other workflows they weren't authorized to access. This is a read-only information disclosure—no data modification or system disruption occurs—but it can undermine team isolation in multi-tenant Airflow deployments where workflow topology is considered sensitive.