By weakness (CWE)
CWE-862: related vulnerabilities
CVEs classified under CWE-862. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
22 published vulnerabilities
- CVE-2025-53345HIGH 8.8
ThimPress Thim Core contains a missing authorization vulnerability that allows authenticated users to execute arbitrary code by installing a malicious plugin. An attacker with legitimate user access can bypass security checks intended to restrict plugin installation, enabling them to deploy and run arbitrary code on the affected WordPress installation. This is a post-authentication attack that significantly expands an attacker's capability once they have gained initial user credentials.
- CVE-2026-32905HIGH 8.3
OpenClaw versions before 2026.5.4 contain a flaw that lets users with basic chat access create device enrollment codes they shouldn't be able to generate. An attacker with legitimate chat permissions can issue bootstrap codes that add new devices with full operator and node-level capabilities to the system. Once enrolled, these devices retain administrative credentials indefinitely until an administrator manually removes them, creating a persistent backdoor.
- CVE-2026-35630HIGH 8.0
OpenClaw versions before 2026.5.18 have an authorization bypass flaw in the QQBot approval workflow. Users who are not designated approvers can click approval buttons to authorize pending requests for code execution or plugin installations—permissions they should not have. An attacker with basic OpenClaw access could escalate their capabilities by approving requests they have no business approving, effectively bypassing the system's governance controls.
- CVE-2025-26418HIGH 7.8
A vulnerability in Android's device management system allows a local attacker with basic app permissions to bypass the user confirmation dialog that normally protects account additions on managed devices. This enables privilege escalation without requiring any special system access or user interaction. The flaw stems from a missing permission check in the CarDevicePolicyService component.
- CVE-2018-25391HIGH 7.5
HaPe PKH 1.1 contains a critical authorization bypass flaw that allows anyone on the internet to delete administrative records without logging in or proving identity. An attacker can craft simple requests to remove administrator accounts and system updates by directly specifying which records to delete. The application fails to verify whether the requester has permission to perform these destructive actions, making it trivial to sabotage the system's core administrative functions.
- CVE-2026-10737HIGH 7.5
The SP Project & Document Manager plugin for WordPress has a serious authorization flaw that allows anyone on the internet to download files from project folders without logging in. The vulnerability stems from a flawed permission check that uses logic errors to bypass all security gates. An attacker only needs to know or guess a file ID to request access through a standard WordPress admin interface, potentially exposing confidential project documents, contracts, customer data, or other sensitive files stored within the plugin.
- CVE-2026-42669HIGH 7.5
EventPrime versions through 4.3.2.0 contain a missing authorization vulnerability that allows unauthenticated attackers to modify data or perform actions they should not have access to. The flaw stems from improperly configured access control checks, meaning the application fails to verify user permissions before allowing sensitive operations. An attacker on the network can exploit this without credentials or user interaction, potentially altering event configurations, participant data, or other critical information depending on EventPrime's scope.
- CVE-2026-42670HIGH 7.5
CVE-2026-42670 is a missing authorization flaw in Etoile Web Design Incorporated's Five Star Restaurant Reservations system. An attacker can access sensitive data by exploiting improperly configured access controls without needing credentials or user interaction. The vulnerability allows unauthenticated remote access to confidential information, presenting a direct risk to restaurant operations and customer data.
- CVE-2026-42677HIGH 7.5
A missing authorization flaw in WP Document Revisions allows unauthenticated attackers to access sensitive documents by exploiting improperly configured security levels. The vulnerability affects how the plugin enforces access control rules, enabling unauthorized users to view confidential information stored within the WordPress environment.
- CVE-2026-42675HIGH 7.3
Themefic Hydra Booking versions up to 1.1.41 contain a missing authorization flaw that allows attackers to bypass access controls and perform unauthorized actions. An attacker without authentication can exploit incorrectly configured security levels to access or modify booking data and functionality that should be restricted. This is a network-based vulnerability requiring no user interaction or special privileges.
- CVE-2026-31942HIGH 7.1
LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.
- CVE-2025-52766MEDIUM 6.5
CVE-2025-52766 is a missing authorization flaw in Printeers Print & Ship that allows authenticated users to perform actions they shouldn't have permission to do. An attacker with valid login credentials can exploit improperly configured access controls to modify data or settings—for instance, altering print job configurations, shipping labels, or account information belonging to other users or tenants. The vulnerability requires an authenticated user; it cannot be exploited by unauthenticated attackers. The impact is elevation of privilege within the application, not confidentiality compromise or service disruption.
- CVE-2026-42671MEDIUM 6.5
Paolo GeoDirectory versions up to 2.8.157 contain a missing authorization flaw that allows attackers to bypass access controls. Without needing credentials or user interaction, an attacker on the network can exploit misconfigured security levels to gain unauthorized access to sensitive operations, potentially modifying data or causing service disruption.
- CVE-2026-10815MEDIUM 6.3
A missing authorization vulnerability was discovered in the Hostel Management System PHP application, specifically in the Admin Dashboard Page's index.php file. An authenticated attacker can manipulate the ID parameter to bypass authorization checks, potentially gaining unauthorized access to sensitive administrative functions. The vulnerability requires valid login credentials but does not require user interaction once authenticated. Public exploit code is available, increasing the practical risk.
- CVE-2026-27351MEDIUM 5.4
Sekander Badsha Crew HRM contains a missing authorization vulnerability that allows authenticated users to perform actions they should not be permitted to perform due to incorrectly configured access controls. An attacker with valid login credentials can exploit weak permission checks to modify data or disrupt availability, even if their role should restrict such access.
- CVE-2025-12714MEDIUM 5.3
A widely used WordPress SEO plugin has a security hole that allows anyone on the internet—even without a WordPress account—to change critical SEO settings and site metadata. An attacker could modify your site's homepage title, meta descriptions, breadcrumb labels, and social media preview information without permission. This creates two problems: it can tank your search engine rankings, and it opens the door to injecting malicious content that visitors see across your site.
- CVE-2025-53302MEDIUM 5.3
CVE-2025-53302 is a missing authorization vulnerability in Anton Shevchuk's Constructor framework that allows unauthenticated attackers to access functionality that should be restricted by access control rules. An attacker can reach protected features without proper credentials or permissions, potentially exposing sensitive operations or data. The vulnerability affects Constructor versions up to and including 1.6.5.
- CVE-2025-53346MEDIUM 4.3
CVE-2025-53346 is a missing authorization flaw in ThimPress Thim Core that allows authenticated users to modify data or settings they should not have access to. The vulnerability stems from inadequate access control checks, meaning the application fails to properly verify whether a logged-in user has permission to perform specific actions. While an attacker must already have valid login credentials, the weakness could allow them to escalate privileges or tamper with configuration or content outside their intended scope.
- CVE-2026-10616MEDIUM 4.3
GoClaw, a component of nextlevelbuilder, contains a flaw in how it validates permissions when completing team tasks. An authenticated attacker can manipulate the Team Task Completion Handler to bypass authorization checks, potentially modifying task records they shouldn't have access to. The vulnerability requires a valid login and network access, and affects versions up to 3.11.3. While the issue carries a medium risk profile, the public availability of exploit details increases practical attack likelihood.
- CVE-2026-10855MEDIUM 4.3
MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.
- CVE-2026-41014MEDIUM 4.3
Apache Airflow contains an authorization bypass in its UI that allows authenticated users to view information about data pipeline runs (DAGs) they shouldn't have access to. Specifically, a user with broad asset-level read permissions can see partition run states, scheduling details, and data connections for DAGs restricted to other teams or users. This affects only deployments that intentionally segment DAG access by user or role while granting wider asset visibility. The vulnerability requires an existing user account and network access to the Airflow UI or API.
- CVE-2026-41160MEDIUM 4.3
EspoCRM contains a logic flaw that allows lower-privileged users to pin notes they don't have permission to edit. The vulnerability stems from a timing issue in the API backend: the system modifies the note in the database before checking whether the user is actually authorized to do so. Even though the server returns an error message afterward, the damage is already done—the note remains pinned. This affects EspoCRM versions before 9.3.5.