Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (880)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-69183 - - Jan 27, 2026 Jan 22, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
CVE-2025-69182 - - Jan 27, 2026 Jan 22, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation.This issue affects Institutions Directory: from n/a through <= 1.3.4.
CVE-2025-68869 - - Apr 1, 2026 Jan 22, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation.This issue affects LazyTasks: from n/a through <= 1.2.37.
CVE-2025-68027 - - Jan 28, 2026 Jan 22, 2026 N/A· v4 7.3 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through <= 1.1.32.
CVE-2025-67966 - - Jan 29, 2026 Jan 22, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation.This issue affects Lawyer Directory: from n/a through <= 1.3.3.
CVE-2025-67953 - - Jan 29, 2026 Jan 22, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.
CVE-2025-50007 - - Jan 26, 2026 Jan 22, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
CVE-2026-1193 1Mineadmin 1Mineadmin Apr 29, 2026 Jan 19, 2026 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attac...Show more A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2026-1141 1Phpgurukul 1News Portal Apr 29, 2026 Jan 19, 2026 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper auth...Show more A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.Show less
CVE-2026-1112 1Publiccms 1Publiccms Apr 29, 2026 Jan 18, 2026 2.1 LOW· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component T...Show more A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2026-1106 1Chamilo 1Chamilo Lms Apr 29, 2026 Jan 18, 2026 2.1 LOW· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Perfor...Show more A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2026-23800 - - Jan 26, 2026 Jan 16, 2026 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.
CVE-2021-47799 - - Jan 16, 2026 Jan 15, 2026 8.5 HIGH· v4 6.2 MEDIUM· v3 N/A· v2 Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount...Show more Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges.Show less
CVE-2026-22916 1Sick 1Tdc X401gl Firmware Jan 23, 2026 Jan 15, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration.
CVE-2026-22914 1Sick 1Tdc X401gl Firmware Jan 23, 2026 Jan 15, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation.
CVE-2026-22908 1Sick 1Tdc X401gl Firmware Jan 23, 2026 Jan 15, 2026 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.
CVE-2026-22907 1Sick 1Tdc X401gl Firmware Jan 23, 2026 Jan 15, 2026 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.
CVE-2026-23550 - - Apr 23, 2026 Jan 14, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
CVE-2022-50927 - - Jan 14, 2026 Jan 13, 2026 8.5 HIGH· v4 6.2 MEDIUM· v3 N/A· v2 Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration t...Show more Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions.Show less
CVE-2026-20852 1Microsoft 12Windows 10 1607 Windows 10 1809Windows 10 21h2+9 more Jan 15, 2026 Jan 13, 2026 N/A· v4 7.7 HIGH· v3 N/A· v2 Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally.

Previous 1...101112...44 Next