CWE-285— Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
1,351 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-285page 22 of 28
- CVE-2025-9602MEDIUMCVSS 6.5EG 6.32025-08-29
A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploi…
- CVE-2025-9609HIGHCVSS 8.8EG 6.32025-08-29
A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has…
- CVE-2025-9687HIGHCVSS 8.8EG 6.32025-08-30
A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed…
- CVE-2025-9760HIGHCVSS 8.8EG 8.82025-09-01
A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/Api/matricula of the component Matricula API. Executing manipulation can lead to improper authorization. It is possible to l…
- CVE-2025-9835MEDIUMCVSS 4.3EG 4.32025-09-02
A vulnerability has been found in macrozheng mall up to 1.0.3. This affects the function cancelOrder of the file /order/cancelUserOrder. The manipulation of the argument orderId leads to authorization bypass. The attack can be initiated re…
- CVE-2025-9836MEDIUMCVSS 4.3EG 4.32025-09-02
A vulnerability was found in macrozheng mall up to 1.0.3. This vulnerability affects the function paySuccess of the file /order/paySuccess. The manipulation of the argument orderId results in authorization bypass. The attack can be launche…
- CVE-2025-9936MEDIUMCVSS 4.3EG 4.32025-09-04
A vulnerability was identified in fuyang_lipengjun platform 1.0.0. This issue affects the function AdController of the file /ad/queryAll. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. …
- CVE-2025-9937MEDIUMCVSS 5.4EG 5.42025-09-04
A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploi…
- CVE-2025-9988MEDIUMCVSS 4.3EG 4.32026-05-13
The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the create_advertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attacke…
- CVE-2026-0072HIGHCVSS 7.8EG 7.82026-06-01
In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction i…
- CVE-2026-0574MEDIUMCVSS 6.3EG 6.32026-01-04
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Re…
- CVE-2026-10070MEDIUMCVSS 4.7EG 4.72026-05-29
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploi…
- CVE-2026-10154MEDIUMCVSS 4.3EG 4.32026-05-30
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can …
- CVE-2026-10211MEDIUMCVSS 6.3EG 6.32026-06-01
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible t…
- CVE-2026-10212MEDIUMCVSS 6.3EG 6.32026-06-01
A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible…
- CVE-2026-10215MEDIUMCVSS 4.3EG 4.32026-06-01
A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation…
- CVE-2026-10218MEDIUMCVSS 5.4EG 5.42026-06-01
A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely.…
- CVE-2026-10236HIGHCVSS 7.3EG 7.32026-06-01
A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to im…
- CVE-2026-10269MEDIUMCVSS 6.3EG 6.32026-06-01
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads …
- CVE-2026-10272MEDIUMCVSS 6.5EG 6.52026-06-01
A vulnerability has been found in a4m4 Student-Management-System up to... A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the …
- CVE-2026-10282MEDIUMCVSS 4.3EG 4.32026-06-01
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be l…
- CVE-2026-10284MEDIUMCVSS 5.4EG 5.42026-06-01
A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component L…
- CVE-2026-10285MEDIUMCVSS 5.4EG 5.42026-06-01
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The …
- CVE-2026-10294MEDIUMCVSS 4.3EG 4.32026-06-01
A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The at…
- CVE-2026-10580CRITICALCVSS 9.8EG 9.82026-06-05
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::…
- CVE-2026-10693MEDIUMCVSS 6.3EG 6.32026-06-03
A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper author…
- CVE-2026-10876MEDIUMCVSS 6.3EG 6.32026-06-04
A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of t…
- CVE-2026-1106MEDIUMCVSS 5.4EG 5.42026-01-18
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation…
- CVE-2026-1112MEDIUMCVSS 5.4EG 5.42026-01-18
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deleti…
- CVE-2026-11336MEDIUMCVSS 6.3EG 6.32026-06-05
A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the com…
- CVE-2026-1141MEDIUMCVSS 6.3EG 6.32026-01-19
A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The atta…
- CVE-2026-11438MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The a…
- CVE-2026-11439MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in i…
- CVE-2026-11440MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes im…
- CVE-2026-11441MEDIUMCVSS 6.3EG 6.32026-06-06
A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper a…
- CVE-2026-11461MEDIUMCVSS 6.3EG 6.32026-06-07
A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to aut…
- CVE-2026-11462HIGHCVSS 7.3EG 7.32026-06-07
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipul…
- CVE-2026-11476MEDIUMCVSS 6.3EG 6.32026-06-08
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component…
- CVE-2026-11500MEDIUMCVSS 5.0EG 5.02026-06-08
A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argu…
- CVE-2026-11519MEDIUMCVSS 6.3EG 6.32026-06-08
A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The mani…
- CVE-2026-11521MEDIUMCVSS 6.3EG 6.32026-06-08
A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controll…
- CVE-2026-11533MEDIUMCVSS 5.4EG 5.42026-06-08
A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Delet…
- CVE-2026-11619MEDIUMCVSS 6.3EG 6.32026-06-09
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads t…
- CVE-2026-1193MEDIUMCVSS 6.3EG 6.32026-01-19
A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be…
- CVE-2026-12065LOWCVSS 1.8EG 1.82026-06-12
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url s…
- CVE-2026-12189MEDIUMCVSS 5.3EG 5.32026-06-14
A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack…
- CVE-2026-12190MEDIUMCVSS 5.3EG 5.32026-06-14
A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.…
- CVE-2026-12204HIGHCVSS 7.3EG 7.32026-06-15
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. E…
- CVE-2026-12213MEDIUMCVSS 4.3EG 4.32026-06-15
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation re…
- CVE-2026-12673MEDIUMCVSS 5.9EG 5.92026-06-20
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) grou…
Map vulnerabilities like CWE-285 to your infrastructure
EchelonGraph correlates every CVE — across CWE-285 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →