CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,582 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 115 of 172
- CVE-2025-42968MEDIUMCVSS 5.0EG 5.02025-07-08
SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or control…
- CVE-2025-42974MEDIUMCVSS 4.3EG 4.32025-07-08
Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality…
- CVE-2025-42982HIGHCVSS 8.8EG 8.82025-06-10
SAP GRC allows a non-administrative user to access and initiate transaction which could allow them to modify or control the transmitted system credentials. This causes high impact on confidentiality, integrity and availability of the appli…
- CVE-2025-42983HIGHCVSS 8.5EG 8.52025-06-10
SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in a loss of data or rendering the system unusable. On successful exploitation, an attacker can comp…
- CVE-2025-42984MEDIUMCVSS 5.4EG 5.42025-06-10
SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. …
- CVE-2025-42986MEDIUMCVSS 4.3EG 4.32025-07-08
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This resul…
- CVE-2025-42987MEDIUMCVSS 4.3EG 4.32025-06-10
SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be r…
- CVE-2025-42989CRITICALCVSS 9.6EG 9.62025-06-10
RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of t…
- CVE-2025-42991MEDIUMCVSS 4.3EG 4.32025-06-10
SAP S/4HANA (Bank Account Application) does not perform necessary authorization checks. This allows an authenticated 'approver' user to delete attachment from bank account application of other user, leading to a low impact on integrity, wi…
- CVE-2025-42993MEDIUMCVSS 6.7EG 6.72025-06-10
Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This…
- CVE-2025-43000HIGHCVSS 7.9EG 7.92025-05-13
Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the applicatio…
- CVE-2025-43004MEDIUMCVSS 5.3EG 5.32025-05-13
Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authent…
- CVE-2025-43007MEDIUMCVSS 6.3EG 6.32025-05-13
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the applicatio…
- CVE-2025-43008MEDIUMCVSS 5.8EG 5.82025-05-13
Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.
- CVE-2025-43009MEDIUMCVSS 6.3EG 6.32025-05-13
SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the applicatio…
- CVE-2025-43011HIGHCVSS 7.7EG 7.72025-05-13
Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on con…
- CVE-2025-4327MEDIUMCVSS 4.3EG 4.32025-05-06
A vulnerability was found in MRCMS 3.1.2. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disc…
- CVE-2025-43286HIGHCVSS 7.8EG 7.82025-09-15
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to break out of its sandbox.
- CVE-2025-43311MEDIUMCVSS 5.1EG 5.12025-09-15
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access protected user data.
- CVE-2025-43316HIGHCVSS 7.8EG 7.82025-09-15
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26, visionOS 26. A malicious app may be able to gain root privileges.
- CVE-2025-43318MEDIUMCVSS 6.2EG 6.22025-09-15
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Tahoe 26. An app with root privileges may be able to access private information.
- CVE-2025-43329HIGHCVSS 8.8EG 8.82025-09-15
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, watchOS 26. An app may be able to break out of its sandbox.
- CVE-2025-43331MEDIUMCVSS 4.0EG 4.02025-09-15
A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access protected user data.
- CVE-2025-43341HIGHCVSS 7.8EG 7.82025-09-15
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to gain root privileges.
- CVE-2025-43358HIGHCVSS 8.8EG 8.82025-09-15
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A shortcut may be able to bypass sandbox …
- CVE-2025-4339MEDIUMCVSS 4.3EG 4.32025-05-13
The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers,…
- CVE-2025-43497MEDIUMCVSS 5.2EG 5.22025-12-12
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox.
- CVE-2025-4370MEDIUMCVSS 5.3EG 5.32025-07-29
The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and…
- CVE-2025-43720MEDIUMCVSS 6.5EG 6.52025-07-21
Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile.
- CVE-2025-43773CRITICALCVSS 9.1EG 9.12025-08-29
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through upda…
- CVE-2025-43788MEDIUMCVSS 4.3EG 4.32025-09-12
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list …
- CVE-2025-43805MEDIUMCVSS 5.3EG 5.32025-09-16
Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page templa…
- CVE-2025-43838MEDIUMCVSS 6.5EG 6.52025-05-19
Missing Authorization vulnerability in ChoPlugins.com Custom PC Builder Lite for WooCommerce custom-pc-builder-lite-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom PC Builde…
- CVE-2025-43862HIGHCVSS 7.6EG 7.62025-04-25
Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control…
- CVE-2025-43976MEDIUMCVSS 5.5EG 4.32025-07-21
The com.enflick.android.tn2ndLine application through 24.17.1.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextN…
- CVE-2025-43977MEDIUMCVSS 5.5EG 4.32025-07-21
The com.skt.prod.dialer application through 12.5.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.skt.prod.dialer.activities.outgoin…
- CVE-2025-44001MEDIUMCVSS 4.0EG 4.02025-08-11
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions …
- CVE-2025-4430HIGHCVSS 8.6EG 8.62025-05-14
Unauthorized access to "/api/Token/gettoken" endpoint in EZD RP allows file manipulation.This issue affects EZD RP in versions before 20.19 (published on 22nd August 2024).
- CVE-2025-4431MEDIUMCVSS 4.3EG 4.32025-05-30
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and inclu…
- CVE-2025-4477HIGHCVSS 7.2EG 7.22025-05-19
The ThreatSonar Anti-Ransomware from TeamT5 has a Privilege Escalation vulnerability, allowing remote attackers with intermediate privileges to escalate their privileges to highest administrator level through a specific API.
- CVE-2025-4520MEDIUMCVSS 5.4EG 5.42025-05-14
The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated …
- CVE-2025-4522MEDIUMCVSS 6.5EG 6.52025-11-07
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the admin_post_donor_delete() function in versions 2.0.0 to 2.1.9. By supplying an arbitrary use…
- CVE-2025-4571MEDIUMCVSS 5.4EG 5.42025-06-19
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and i…
- CVE-2025-45854CRITICALCVSS 10.0EG 9.82025-06-03
/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
- CVE-2025-4597MEDIUMCVSS 6.5EG 6.52025-05-30
The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions…
- CVE-2025-46174HIGHCVSS 7.5EG 7.52025-11-26
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
- CVE-2025-46175HIGHCVSS 7.5EG 7.52025-11-26
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
- CVE-2025-46232MEDIUMCVSS 4.3EG 4.32025-04-22
Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Alt Text AI: from n/a through <= 1.9.93.
- CVE-2025-46244MEDIUMCVSS 5.3EG 5.32025-04-22
Missing Authorization vulnerability in Dotstore Advanced Linked Variations for Woocommerce linked-variation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Linked Variations for Woocommer…
- CVE-2025-46247MEDIUMCVSS 5.3EG 5.32025-04-22
Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Appointment Booking Calendar: from n/a through <…
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →