CWE-862— Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.— MITRE CWE catalog
8,583 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-862page 118 of 172
- CVE-2025-48600MEDIUMCVSS 5.5EG 5.52025-12-08
In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed…
- CVE-2025-48604MEDIUMCVSS 5.5EG 5.52025-12-08
In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not neede…
- CVE-2025-48608MEDIUMCVSS 5.5EG 5.52025-12-08
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is n…
- CVE-2025-48614MEDIUMCVSS 4.6EG 4.62025-12-08
In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check. This could lead to physical denial of service with no additional execution privileges ne…
- CVE-2025-48617HIGHCVSS 7.8EG 7.82026-06-17
In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is no…
- CVE-2025-48640HIGHCVSS 8.0EG 8.02026-06-17
In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. Us…
- CVE-2025-48731MEDIUMCVSS 6.4EG 6.42025-08-11
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
- CVE-2025-48784HIGHCVSS 7.5EG 7.52025-06-06
A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization.
- CVE-2025-4887MEDIUMCVSS 4.3EG 4.32025-05-18
A vulnerability, which was classified as problematic, has been found in SourceCodester Online Student Clearance System 1.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The att…
- CVE-2025-48878MEDIUMCVSS 4.3EG 4.32025-11-10
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they …
- CVE-2025-48916MEDIUMCVSS 6.5EG 6.52025-06-13
Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.
- CVE-2025-48998HIGHCVSS 8.8EG 8.82025-06-03
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC …
- CVE-2025-49041MEDIUMCVSS 6.5EG 6.52025-12-18
Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.
- CVE-2025-49052MEDIUMCVSS 4.3EG 4.32025-08-14
Missing Authorization vulnerability in Dariolee Netease Music netease-music allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Netease Music: from n/a through <= 3.2.1.
- CVE-2025-49181HIGHCVSS 8.6EG 8.62025-06-12
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports th…
- CVE-2025-49182HIGHCVSS 7.5EG 7.52025-06-12
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacker to get full access to the application.
- CVE-2025-49221LOWCVSS 3.7EG 3.72025-08-11
Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.
- CVE-2025-49234MEDIUMCVSS 6.5EG 6.52025-06-17
Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator wp-dummy-content-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Dummy Content Generator: from n/a throu…
- CVE-2025-49236MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in raychat Raychat raychat allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Raychat: from n/a through <= 2.1.0.
- CVE-2025-49240MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in nK DocsPress docspress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DocsPress: from n/a through <= 2.5.2.
- CVE-2025-49241MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in bobbingwide oik oik allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects oik: from n/a through <= 4.15.1.
- CVE-2025-49246MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in cmoreira Testimonials Showcase testimonials-showcase allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonials Showcase: from n/a through <= 1.9.16.
- CVE-2025-49248MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in cmoreira Team Showcase team-showcase-cm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team Showcase: from n/a through < 25.05.13.
- CVE-2025-49265HIGHCVSS 7.5EG 7.52025-06-09
Missing Authorization vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Membership For WooCommerce: from n/a through <= 2.8.1.
- CVE-2025-49268MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in Soft8Soft LLC Verge3D verge3d allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Verge3D: from n/a through <= 4.9.4.
- CVE-2025-49270MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP-CRM System: from n/a through <= 3.4.2.
- CVE-2025-49272MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trinity Audio: from n/a through <= 5.20.0.
- CVE-2025-49287MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Feed for WooCommerce: from n/a through …
- CVE-2025-49288HIGHCVSS 8.8EG 4.32025-06-06
Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects Ultimate WP Mail: from n/a through <= 1.3.5.
- CVE-2025-49289MEDIUMCVSS 5.0EG 5.02025-06-06
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 5.5.0.
- CVE-2025-49293MEDIUMCVSS 4.3EG 4.32025-06-06
Missing Authorization vulnerability in CodeRevolution Crawlomatic Multisite Scraper Post Generator crawlomatic-multipage-scraper-post-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Craw…
- CVE-2025-49319MEDIUMCVSS 6.5EG 6.52025-07-16
Missing Authorization vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wishlist for WooCommerce: from n/a through <= 3.…
- CVE-2025-49320MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in fraudlabspro FraudLabs Pro for WooCommerce fraudlabs-pro-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FraudLabs Pro for WooCommerce: from …
- CVE-2025-49324MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in PickPlugins Job Board Manager job-board-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Job Board Manager: from n/a through <= 2.1.60.
- CVE-2025-49338MEDIUMCVSS 5.3EG 5.32025-12-31
Missing Authorization vulnerability in Flowbox Flowbox flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through <= 1.1.6.
- CVE-2025-49339MEDIUMCVSS 4.3EG 4.32025-12-31
Missing Authorization vulnerability in Digages Direct Payments WP direct-payments-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through <= 1.3.2.
- CVE-2025-49348MEDIUMCVSS 5.3EG 5.32025-12-09
Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5.
- CVE-2025-49349MEDIUMCVSS 5.3EG 5.32025-12-31
Missing Authorization vulnerability in Reuters News Agency Reuters Direct reuters-direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through <= 3.0.0.
- CVE-2025-49350MEDIUMCVSS 4.3EG 4.32025-12-09
Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through <=…
- CVE-2025-49356MEDIUMCVSS 4.3EG 4.32025-12-31
Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce orders-chat-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a th…
- CVE-2025-49375MEDIUMCVSS 5.4EG 8.82026-01-22
Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1.
- CVE-2025-49376MEDIUMCVSS 5.3EG 7.52025-10-22
Missing Authorization vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.
- CVE-2025-49377MEDIUMCVSS 6.3EG 7.52025-10-22
Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9.
- CVE-2025-49394HIGHCVSS 7.1EG 8.82025-11-06
Missing Authorization vulnerability in bPlugins Image Gallery block – Create and display photo gallery/photo album. 3d-image-gallery allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Image Gallery block �…
- CVE-2025-49396MEDIUMCVSS 4.3EG 4.32025-08-20
Missing Authorization vulnerability in themifyme Themify Builder themify-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themify Builder: from n/a through <= 7.6.7.
- CVE-2025-49406HIGHCVSS 8.5EG 5.32025-08-20
Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1.
- CVE-2025-49431MEDIUMCVSS 6.5EG 6.52025-07-04
Missing Authorization vulnerability in Gnuget MF Plus WPML mf-plus-wpml allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MF Plus WPML: from n/a through <= 1.1.
- CVE-2025-49432MEDIUMCVSS 5.3EG 5.32025-08-15
Missing Authorization vulnerability in FWDesign Ultimate Video Player fwduvp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Video Player: from n/a through <= 10.1.
- CVE-2025-49441MEDIUMCVSS 5.3EG 5.32025-06-06
Missing Authorization vulnerability in WP Map Plugins Interactive Regional Map of Florida interactive-map-of-florida allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Interactive Regional Map of Flo…
- CVE-2025-49459HIGHCVSS 7.8EG 7.82025-09-09
Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access.
Map vulnerabilities like CWE-862 to your infrastructure
EchelonGraph correlates every CVE — across CWE-862 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →