CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 57 of 77
- CVE-2025-15119LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed…
- CVE-2025-15120LOWCVSS 3.1EG 3.12025-12-28
A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be…
- CVE-2025-15122LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It i…
- CVE-2025-15123LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remote…
- CVE-2025-15124LOWCVSS 3.1EG 3.12025-12-28
A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be init…
- CVE-2025-15125LOWCVSS 3.1EG 3.12025-12-28
A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. Th…
- CVE-2025-15126LOWCVSS 3.1EG 3.12025-12-28
A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authori…
- CVE-2025-15288LOWCVSS 3.1EG 3.12026-01-29
Tanium addressed an improper access controls vulnerability in Interact.
- CVE-2025-15321LOWCVSS 2.7EG 2.72026-02-05
Tanium addressed an improper input validation vulnerability in Tanium Appliance.
- CVE-2025-15322MEDIUMCVSS 4.3EG 4.32026-01-30
Tanium addressed an improper access controls vulnerability in Tanium Server.
- CVE-2025-15342MEDIUMCVSS 4.3EG 4.32026-02-05
Tanium addressed an improper access controls vulnerability in Reputation.
- CVE-2025-15390MEDIUMCVSS 6.3EG 6.32025-12-31
A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploi…
- CVE-2025-15395MEDIUMCVSS 4.3EG 4.32026-02-02
IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability.
- CVE-2025-1540LOWCVSS 3.1EG 3.12025-03-06
An issue has been discovered in GitLab CE/EE for Self-Managed and Dedicated instances affecting all versions from 17.5 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. It was possible for a user added as an External to read…
- CVE-2025-15406MEDIUMCVSS 6.3EG 6.32026-01-01
A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and m…
- CVE-2025-1542CRITICALCVSS 9.3EG 9.32025-03-26
Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects …
- CVE-2025-15513MEDIUMCVSS 5.3EG 5.32026-01-14
The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for …
- CVE-2025-15525MEDIUMCVSS 5.3EG 5.32026-01-31
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1…
- CVE-2025-15633MEDIUMCVSS 6.5EG 6.52026-05-09
An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via …
- CVE-2025-1792LOWCVSS 3.1EG 3.12025-05-30
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of p…
- CVE-2025-2003HIGHCVSS 7.1EG 7.12025-03-05
Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.
- CVE-2025-20257MEDIUMCVSS 6.5EG 6.52025-05-21
A vulnerability in an API subsystem of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with low privileges to generate fraudulent findings that are use…
- CVE-2025-20300MEDIUMCVSS 4.3EG 4.32025-07-07
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has…
- CVE-2025-20332MEDIUMCVSS 4.3EG 4.32025-08-06
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation…
- CVE-2025-20381MEDIUMCVSS 5.4EG 5.42025-12-03
In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unau…
- CVE-2025-2045MEDIUMCVSS 4.3EG 4.32025-03-06
Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access to potentially sensitive project analytics data.
- CVE-2025-20674CRITICALCVSS 9.8EG 9.82025-06-02
In wlan AP driver, there is a possible way to inject arbitrary packet due to a missing permission check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for e…
- CVE-2025-20701HIGHCVSS 8.8EG 8.82025-08-04
In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not neede…
- CVE-2025-20999MEDIUMCVSS 4.1EG 4.12025-07-08
Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password.
- CVE-2025-21403MEDIUMCVSS 6.4EG 6.42025-01-14
On-Premises Data Gateway Information Disclosure Vulnerability
- CVE-2025-21450CRITICALCVSS 9.1EG 9.12025-07-08
Cryptographic issue occurs due to use of insecure connection method while downloading.
- CVE-2025-21479HIGHCVSS 8.6EG 9.0⚠ KEV2025-06-03
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
- CVE-2025-21480HIGHCVSS 8.6EG 9.0⚠ KEV2025-06-03
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
- CVE-2025-21502MEDIUMCVSS 4.8EG 4.82025-01-21
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, …
- CVE-2025-21506HIGHCVSS 8.1EG 8.12025-01-21
Vulnerability in the Oracle Project Foundation product of Oracle E-Business Suite (component: Technology Foundation). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker…
- CVE-2025-21516HIGHCVSS 8.1EG 8.12025-01-21
Vulnerability in the Oracle Customer Care product of Oracle E-Business Suite (component: Service Requests). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged attacker with netw…
- CVE-2025-21517MEDIUMCVSS 4.3EG 4.32025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2025-21519MEDIUMCVSS 4.4EG 4.42025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Difficult to exploit vulnerability allow…
- CVE-2025-21532HIGHCVSS 7.8EG 7.82025-01-21
Vulnerability in the Oracle Analytics Desktop product of Oracle Analytics (component: Install). Supported versions that are affected are Prior to 8.1.0. Easily exploitable vulnerability allows low privileged attacker with logon to the inf…
- CVE-2025-21533MEDIUMCVSS 5.5EG 5.52025-01-21
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows low privileged attacker wi…
- CVE-2025-21537MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the PeopleSoft Enterprise FIN Cash Management product of Oracle PeopleSoft (component: Cash Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2025-21539MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the PeopleSoft Enterprise FIN eSettlements product of Oracle PeopleSoft (component: eSettlements). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with netwo…
- CVE-2025-21540MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows …
- CVE-2025-21546LOWCVSS 3.8EG 3.82025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows …
- CVE-2025-21553MEDIUMCVSS 4.2EG 4.22025-01-21
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.25, 21.3-21.16 and 23.4-23.6. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Cre…
- CVE-2025-21554MEDIUMCVSS 5.3EG 5.32025-01-21
Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerabilit…
- CVE-2025-21555MEDIUMCVSS 5.5EG 5.52025-01-21
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged attack…
- CVE-2025-21556CRITICALCVSS 9.9EG 9.92025-01-21
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2025-21557MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in Oracle Application Express (component: General). Supported versions that are affected are 23.2 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle A…
- CVE-2025-21558MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0 and 22.…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →