CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,580 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 114 of 172
- CVE-2025-4047MEDIUMCVSS 4.3EG 4.32025-06-03
The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it…
- CVE-2025-40602MEDIUMCVSS 6.6EG 9.0⚠ KEV2025-12-18
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
- CVE-2025-4064MEDIUMCVSS 5.3EG 5.32025-04-29
A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible…
- CVE-2025-40667MEDIUMCVSS 6.5EG 6.52025-05-26
Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the atta…
- CVE-2025-40673MEDIUMCVSS 5.3EG 5.32025-05-28
A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint '/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf' because there is no access control. The …
- CVE-2025-40837HIGHCVSS 8.8EG 8.82025-09-25
Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended.
- CVE-2025-4095MEDIUMCVSS 4.3EG 4.32025-04-29
Registry Access Management (RAM) is a security feature allowing administrators to restrict access for their developers to only allowed registries. When a MacOS configuration profile is used to enforce organization sign-in, the RAM policies…
- CVE-2025-41012MEDIUMCVSS 5.3EG 5.32025-12-02
Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'so…
- CVE-2025-41016HIGHCVSS 8.7EG 8.72025-11-24
Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to “/alarms/<ALARM_ID>/<MEDIA>”, where the “MEDIA” parameter…
- CVE-2025-41017MEDIUMCVSS 6.9EG 6.92025-11-24
Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing “/cameras/<CAMERA_ID>/perspective”.
- CVE-2025-4105MEDIUMCVSS 5.4EG 5.42025-05-21
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. Thi…
- CVE-2025-41111HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_denuncia' in '/backend/api/buscarComentario…
- CVE-2025-41112HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParam…
- CVE-2025-41113HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_denuncia' in '/backend/api/buscarDenunciaBy…
- CVE-2025-41114HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/b…
- CVE-2025-41231HIGHCVSS 7.3EG 7.32025-05-20
VMware Cloud Foundation contains a missing authorisation vulnerability. A malicious actor with access to VMware Cloud Foundation appliance may be able to perform certain unauthorised actions and access limited sensitive information.
- CVE-2025-41335HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id' and ' 'id_sociedad' in '/api/buscarEmpres…
- CVE-2025-41336HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParam…
- CVE-2025-41337HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarSSOParametros.php'.
- CVE-2025-41338HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/b…
- CVE-2025-41339HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_sociedad' in '/backend/api/buscarTipoDenunc…
- CVE-2025-41340HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_tp_denuncia' and 'id_sociedad' in '/backen…
- CVE-2025-41341HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'seguro' in '/backend/api/bu…
- CVE-2025-41342HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_user' in '/backend/api/buscarUsuarioId.php'.
- CVE-2025-41343HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmai…
- CVE-2025-41344HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'id_archivo' in '/backend/api/verArchivo.php'.
- CVE-2025-41345HIGHCVSS 7.5EG 7.52025-11-04
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameters 'id_denuncia' and 'id_user' in '/backend/api/b…
- CVE-2025-41410MEDIUMCVSS 5.4EG 5.42025-10-16
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious S…
- CVE-2025-41443MEDIUMCVSS 4.3EG 4.32025-10-16
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/t…
- CVE-2025-41698HIGHCVSS 7.8EG 7.82025-08-05
A low privileged local attacker can interact with the affected service although user-interaction should not be allowed.
- CVE-2025-4177MEDIUMCVSS 5.3EG 5.32025-05-02
The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attack…
- CVE-2025-4179HIGHCVSS 7.3EG 7.32025-05-02
The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated a…
- CVE-2025-4202MEDIUMCVSS 4.3EG 4.32026-05-16
The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf_add_comment' function in all versions up to, and includ…
- CVE-2025-4282MEDIUMCVSS 4.3EG 4.32025-05-05
A vulnerability has been found in SourceCodester/oretnom23 Stock Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save. The manipulation leads to cross-site reque…
- CVE-2025-42882MEDIUMCVSS 4.3EG 4.32025-11-11
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the syste…
- CVE-2025-42891MEDIUMCVSS 5.5EG 5.52025-12-09
Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and …
- CVE-2025-42899MEDIUMCVSS 4.3EG 4.32025-11-11
SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and …
- CVE-2025-42911MEDIUMCVSS 5.0EG 5.02025-09-09
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, …
- CVE-2025-42912MEDIUMCVSS 6.5EG 6.52025-09-09
SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confiden…
- CVE-2025-42913LOWCVSS 3.1EG 3.12025-09-09
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low…
- CVE-2025-42914LOWCVSS 3.1EG 3.12025-09-09
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low…
- CVE-2025-42915MEDIUMCVSS 5.4EG 5.42025-09-09
Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both th…
- CVE-2025-42917MEDIUMCVSS 6.5EG 6.52025-09-09
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while co…
- CVE-2025-42918MEDIUMCVSS 4.3EG 4.32025-09-09
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity…
- CVE-2025-42949MEDIUMCVSS 4.9EG 4.92025-08-12
Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to acces…
- CVE-2025-42952HIGHCVSS 7.7EG 7.72025-07-08
SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render t…
- CVE-2025-42953HIGHCVSS 8.1EG 8.12025-07-08
SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confiden…
- CVE-2025-42955LOWCVSS 3.5EG 3.52025-08-12
Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to r…
- CVE-2025-42960MEDIUMCVSS 4.3EG 4.32025-07-08
SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of …
- CVE-2025-42961MEDIUMCVSS 4.9EG 4.92025-07-08
Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging …
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →