CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 61 of 77
- CVE-2025-3963HIGHCVSS 7.3EG 7.32025-04-27
A vulnerability, which was classified as critical, has been found in withstars Books-Management-System 1.0. This issue affects some unknown processing of the file /admin/article/list of the component Background Interface. The manipulation …
- CVE-2025-40567MEDIUMCVSS 6.5EG 6.52025-06-10
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK53…
- CVE-2025-40568MEDIUMCVSS 4.3EG 4.32025-06-10
A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK53…
- CVE-2025-40619HIGHCVSS 7.5EG 7.52025-04-29
Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles.
- CVE-2025-40668MEDIUMCVSS 6.5EG 6.52025-06-09
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNe…
- CVE-2025-40669MEDIUMCVSS 6.5EG 6.52025-06-09
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Opt…
- CVE-2025-40670HIGHCVSS 8.8EG 8.82025-06-09
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.
- CVE-2025-40819MEDIUMCVSS 4.3EG 4.32025-12-09
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications do not properly validate license restrictions against the database, allowing direct modification of the system_ticketinfo …
- CVE-2025-40897HIGHCVSS 8.1EG 8.12026-04-15
An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges f…
- CVE-2025-4101MEDIUMCVSS 4.3EG 4.32025-05-17
The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and incl…
- CVE-2025-41030MEDIUMCVSS 6.9EG 6.92025-09-02
Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to obtain information from other users via GET ‘/ajax/TInnova_v2/Integrantes_Recurso_v2_1/llamadaAjax/buscarPersona’ using the ‘dni…
- CVE-2025-41031MEDIUMCVSS 6.9EG 6.92025-09-02
Lack of authorisation in Deporsite by T-INNOVA. This vulnerability allows an unauthenticated attacker to change other users' profile pictures via a POST request using the parameters ‘IdPersona’ and “Foto” in ‘/ajax/TInnova_c/Foto…
- CVE-2025-41078HIGHCVSS 8.1EG 8.12026-01-12
Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by…
- CVE-2025-41246HIGHCVSS 7.6EG 7.62025-09-29
VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or…
- CVE-2025-4128LOWCVSS 3.1EG 3.12025-06-11
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API c…
- CVE-2025-41346CRITICALCVSS 9.8EG 9.82025-11-18
Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, there…
- CVE-2025-41423LOWCVSS 3.1EG 3.12025-04-24
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts co…
- CVE-2025-41436LOWCVSS 3.1EG 3.12025-11-14
Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads
- CVE-2025-42939MEDIUMCVSS 4.3EG 4.32025-10-14
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check…
- CVE-2025-42951HIGHCVSS 8.8EG 8.82025-08-12
Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, …
- CVE-2025-43197MEDIUMCVSS 4.0EG 4.02025-07-30
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access sensitive user data.
- CVE-2025-43230MEDIUMCVSS 4.0EG 4.02025-07-30
The issue was addressed with additional permissions checks. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. An app may be able to access user-sensitive data.
- CVE-2025-43251MEDIUMCVSS 5.5EG 5.52025-07-30
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items.
- CVE-2025-43307MEDIUMCVSS 4.0EG 4.02025-09-15
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
- CVE-2025-43336MEDIUMCVSS 4.4EG 4.42025-11-04
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app with root privileges may be able to access private information.
- CVE-2025-43387HIGHCVSS 7.8EG 7.82025-11-04
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1. A malicious app may be able to gain root privileges.
- CVE-2025-43397MEDIUMCVSS 5.5EG 5.52025-11-04
A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to cause a denial-of-service.
- CVE-2025-43459MEDIUMCVSS 4.6EG 4.62025-11-04
An authentication issue was addressed with improved state management. This issue is fixed in watchOS 26.1. An attacker with physical access to a locked Apple Watch may be able to view Live Voicemail.
- CVE-2025-43561CRITICALCVSS 9.1EG 9.12025-05-13
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage t…
- CVE-2025-43564CRITICALCVSS 9.1EG 9.12025-05-13
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or mo…
- CVE-2025-43565HIGHCVSS 8.4EG 8.42025-05-13
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage thi…
- CVE-2025-43784MEDIUMCVSS 6.5EG 6.52025-09-10
Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entries informatio…
- CVE-2025-43789MEDIUMCVSS 5.3EG 5.32025-09-12
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get ex…
- CVE-2025-43806MEDIUMCVSS 4.3EG 4.32025-09-22
Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows r…
- CVE-2025-43904MEDIUMCVSS 4.2EG 4.22026-01-16
In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator.
- CVE-2025-43917HIGHCVSS 8.2EG 8.22025-04-19
In Pritunl Client before 1.3.4220.57, an administrator with access to /Applications can escalate privileges after uninstalling the product. Specifically, an administrator can insert a new file at the pathname of the removed pritunl-service…
- CVE-2025-43921MEDIUMCVSS 5.3EG 5.32025-04-20
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel…
- CVE-2025-43922HIGHCVSS 8.1EG 8.12025-04-21
The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM.
- CVE-2025-44824HIGHCVSS 8.5EG 8.52025-10-07
Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "mess…
- CVE-2025-46265HIGHCVSS 8.8EG 8.82025-05-07
On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (Eo…
- CVE-2025-4646HIGHCVSS 7.2EG 7.22025-05-13
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
- CVE-2025-46544MEDIUMCVSS 6.4EG 6.42025-04-25
In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.
- CVE-2025-46569HIGHCVSS 7.4EG 7.42025-05-01
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API enta…
- CVE-2025-46702MEDIUMCVSS 5.4EG 5.42025-06-30
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticat…
- CVE-2025-46744LOWCVSS 2.7EG 2.72025-05-12
An authenticated administrator could modify the Created By username for a user account
- CVE-2025-46834MEDIUMCVSS 6.6EG 6.62025-05-15
Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys …
- CVE-2025-47382HIGHCVSS 7.8EG 7.82025-12-18
Memory corruption while loading an invalid firmware in boot loader.
- CVE-2025-47871MEDIUMCVSS 4.3EG 4.32025-06-30
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook…
- CVE-2025-47930MEDIUMCVSS 5.3EG 5.32025-05-16
Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then chan…
- CVE-2025-47937LOWCVSS 3.7EG 3.72025-05-20
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple ta…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →