Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (880)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-13115 1Macrozheng 2Mall Mall Swarm Apr 29, 2026 Nov 13, 2025 2.1 LOW· v4 5.3 MEDIUM· v3 4.0 MEDIUM· v2 A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3. This impacts the function detail of the file /order/detail/ of the component Order Details Handler. Performing manipulation of the argume...Show more A security flaw has been discovered in macrozheng mall-swarm and mall up to 1.0.3. This impacts the function detail of the file /order/detail/ of the component Order Details Handler. Performing manipulation of the argument orderId results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-13114 1Macrozheng 1Mall Swarm Apr 29, 2026 Nov 13, 2025 2.1 LOW· v4 5.3 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from...Show more A vulnerability was identified in macrozheng mall-swarm up to 1.0.3. This affects the function updateAttr of the file /cart/update/attr. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-2843 - - Nov 14, 2025 Nov 12, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes...Show more A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with ClusterRole upon deployment of the Namespace-Scoped Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.Show less
CVE-2024-32009 - - Nov 12, 2025 Nov 11, 2025 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to wrongly set permissions to a binary which allows...Show more A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a local privilege escalation due to wrongly set permissions to a binary which allows any local attacker to gain administrative privileges.Show less
CVE-2025-63384 - - Nov 12, 2025 Nov 10, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor's privilege level. Instead of...Show more A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET (Supervisor-mode Exception Return) instruction fails to correctly transition the processor's privilege level. Instead of downgrading from Machine-mode (M-mode) to Supervisor-mode (S-mode) as specified by the sstatus.SPP bit, the processor incorrectly remains in M-mode, leading to a critical privilege retention vulnerability.Show less
CVE-2025-56503 - - Nov 17, 2025 Nov 10, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installati...Show more An issue in Sublime HQ Pty Ltd Sublime Text 4 4200 allows authenticated attackers with low-level privileges to escalate privileges to Administrator via replacing the uninstall file with a crafted binary in the installation folder. NOTE: this is disputed by the Supplier because replacing the uninstall file requires administrator permissions, i.e., there is no privilege escalation.Show less
CVE-2025-6325 - - Jan 20, 2026 Nov 6, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.This issue affects King Addons for Elementor: from n/a through <= 51.1.36.
CVE-2025-62034 - - Jan 20, 2026 Nov 6, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
CVE-2025-60243 - - Jan 20, 2026 Nov 6, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a...Show more Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= 1.2.46.Show less
CVE-2025-60195 - - Apr 1, 2026 Nov 6, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.This issue affects Atarim: from n/a through <= 4.2.1.
CVE-2025-49900 - - Jan 20, 2026 Nov 6, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in bPlugins Advanced scrollbar advanced-scrollbar allows Privilege Escalation.This issue affects Advanced scrollbar: from n/a through <= 1.1.8.
CVE-2024-58273 1Nagios 1Log Server Nov 6, 2025 Oct 30, 2025 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root...Show more Nagios Log Server versions prior to 2024R1.0.2 contain a local privilege escalation vulnerability that allows an attacker who could execute commands as the Apache web user (or the backend shell user) to escalate to root on the host.Show less
CVE-2025-12103 - - Apr 23, 2026 Oct 28, 2025 N/A· v4 5.0 MEDIUM· v3 N/A· v2 A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is crea...Show more A flaw was found in Red Hat Openshift AI Service. The TrustyAI component is granting all service accounts and users on a cluster permissions to get, list, watch any pod in any namespace on the cluster. TrustyAI is creating a role `trustyai-service-operator-lmeval-user-role` and a CRB `trustyai-service-operator-default-lmeval-user-rolebinding` which is being applied to `system:authenticated` making it so that every single user or service account can get a list of pods running in any namespace on the cluster Additionally users can access all `persistentvolumeclaims` and `lmevaljobs`Show less
CVE-2025-36007 1Ibm 1Qradar Security Information And Event Manager Dec 15, 2025 Oct 27, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 13 Independent Fix 02 is vulnerable to privilege escalation due to improper privilege assignment to an update script.
CVE-2025-12304 - - Apr 29, 2026 Oct 27, 2025 2.1 LOW· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handle...Show more A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-62007 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in bPlugins Voice Feedback voice-feedback allows Privilege Escalation.This issue affects Voice Feedback: from n/a through <= 1.0.3.
CVE-2025-60222 - - Apr 1, 2026 Oct 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Privilege Escalation.This issue affects SUMO Memberships for WooCommerce: from n/a through <= 7.8.0...Show more Incorrect Privilege Assignment vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Privilege Escalation.This issue affects SUMO Memberships for WooCommerce: from n/a through <= 7.8.0.Show less
CVE-2025-60220 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects CouponXxL: from n/a through <= 3.0.0.
CVE-2025-60211 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in extendons WooCommerce Registration Fields Plugin - Custom Signup Fields extendons-registration-fields allows Privilege Escalation.This issue affects WooCommerce Registratio...Show more Incorrect Privilege Assignment vulnerability in extendons WooCommerce Registration Fields Plugin - Custom Signup Fields extendons-registration-fields allows Privilege Escalation.This issue affects WooCommerce Registration Fields Plugin - Custom Signup Fields: from n/a through <= 3.2.3.Show less
CVE-2025-59580 - - Jan 20, 2026 Oct 22, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in GoodLayers Goodlayers Core goodlayers-core allows Privilege Escalation.This issue affects Goodlayers Core: from n/a through < 2.1.7.

Previous 1...141516...44 Next