CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 56 of 77
- CVE-2025-11439MEDIUMCVSS 4.3EG 4.32025-10-08
A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. T…
- CVE-2025-11580MEDIUMCVSS 5.3EG 5.32025-10-10
A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the…
- CVE-2025-11581MEDIUMCVSS 5.3EG 5.32025-10-10
A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be…
- CVE-2025-11776MEDIUMCVSS 4.3EG 4.32025-11-14
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
- CVE-2025-11777LOWCVSS 3.1EG 3.12025-11-13
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from …
- CVE-2025-11862HIGHCVSS 8.4EG 8.42025-11-11
A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API.
- CVE-2025-11865MEDIUMCVSS 4.3EG 4.32025-11-15
An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user.
- CVE-2025-11888LOWCVSS 2.7EG 2.72025-10-25
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post…
- CVE-2025-11971MEDIUMCVSS 6.5EG 6.52025-10-27
GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipul…
- CVE-2025-12038MEDIUMCVSS 4.3EG 4.32025-11-01
The Folderly plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the /wp-json/folderly/v1/config/clear-all-data REST API endpoint in all versions up to, and including, 0.3. Thi…
- CVE-2025-12082HIGHCVSS 7.5EG 7.52025-10-30
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0.
- CVE-2025-1214MEDIUMCVSS 6.3EG 6.32025-02-12
A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It…
- CVE-2025-12149MEDIUMCVSS 6.0EG 6.02025-11-14
In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the q…
- CVE-2025-12621MEDIUMCVSS 5.3EG 5.32025-11-08
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.…
- CVE-2025-12756MEDIUMCVSS 4.3EG 4.32025-12-01
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments …
- CVE-2025-12924MEDIUMCVSS 4.3EG 4.32025-11-10
A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads…
- CVE-2025-12925HIGHCVSS 7.3EG 7.32025-11-10
A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. Th…
- CVE-2025-12971MEDIUMCVSS 4.3EG 4.32025-11-27
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' …
- CVE-2025-13063HIGHCVSS 7.3EG 7.32025-11-12
A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Mul…
- CVE-2025-13184CRITICALCVSS 9.8EG 9.82025-12-10
Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same …
- CVE-2025-13324LOWCVSS 3.7EG 3.72025-12-17
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which …
- CVE-2025-13432MEDIUMCVSS 4.3EG 4.32025-11-21
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with…
- CVE-2025-13468MEDIUMCVSS 5.4EG 5.42025-11-20
A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete …
- CVE-2025-13480MEDIUMCVSS 6.5EG 6.52026-04-20
Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of sy…
- CVE-2025-13653MEDIUMCVSS 4.3EG 4.32025-12-01
In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the res…
- CVE-2025-13753MEDIUMCVSS 4.3EG 4.32026-01-09
The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. T…
- CVE-2025-13767MEDIUMCVSS 4.3EG 4.32025-12-24
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker wit…
- CVE-2025-13806HIGHCVSS 7.3EG 7.32025-12-01
A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModu…
- CVE-2025-13813MEDIUMCVSS 5.6EG 5.62025-12-01
A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack…
- CVE-2025-13829HIGHCVSS 8.6EG 8.62025-12-01
Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToke…
- CVE-2025-13928HIGHCVSS 7.5EG 7.52026-01-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting …
- CVE-2025-13985MEDIUMCVSS 5.3EG 5.32026-01-28
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
- CVE-2025-14016MEDIUMCVSS 5.4EG 5.42025-12-04
A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can …
- CVE-2025-14081MEDIUMCVSS 4.3EG 4.32025-12-17
The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields l…
- CVE-2025-1415MEDIUMCVSS 5.1EG 5.12025-05-21
A low-privileged user is able to obtain information about tasks executed on devices controlled by Proget MDM (Mobile Device Management), as well as details of the devices like their UUIDs needed for exploitation of CVE-2025-1416. In order…
- CVE-2025-1416HIGHCVSS 7.0EG 7.02025-05-21
In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which …
- CVE-2025-1417MEDIUMCVSS 4.6EG 4.62025-05-21
In Proget MDM, a low-privileged user can access information about changes contained in backups of all devices managed by the MDM (Mobile Device Management). This information include user ids, email addresses, first names, last names and de…
- CVE-2025-1418MEDIUMCVSS 5.1EG 5.12025-05-21
A low-privileged user can access information about profiles created in Proget MDM (Mobile Device Management), which contain details about allowed/prohibited functions. The profiles do not reveal any sensitive information (including their …
- CVE-2025-14305HIGHCVSS 7.8EG 7.82025-12-17
ListCheck.exe developed by Acer has a Local Privilege Escalation vulnerability. Authenticated local attackers can replace ListCheck.exe with a malicious executable of the same name, which will be executed by the system and result in privil…
- CVE-2025-14318MEDIUMCVSS 4.3EG 4.32025-12-18
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
- CVE-2025-14352MEDIUMCVSS 5.3EG 5.32026-01-07
The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugi…
- CVE-2025-1472MEDIUMCVSS 4.3EG 4.32025-03-19
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
- CVE-2025-14774HIGHCVSS 7.4EG 7.42026-06-03
Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.
- CVE-2025-14866HIGHCVSS 8.8EG 8.82026-01-23
The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it p…
- CVE-2025-14943MEDIUMCVSS 4.3EG 4.32026-01-10
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFul…
- CVE-2025-14986LOWCVSS 1.3EG 1.32025-12-30
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMult…
- CVE-2025-14987MEDIUMCVSS 5.3EG 5.32025-12-30
When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to …
- CVE-2025-1501MEDIUMCVSS 4.3EG 4.32025-08-26
An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticat…
- CVE-2025-15023HIGHCVSS 8.8EG 8.82026-05-14
Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels. …
- CVE-2025-15085MEDIUMCVSS 4.3EG 4.32025-12-25
A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balanc…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →