Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-9760 1Portabilis 1I Educar Apr 29, 2026 Sep 1, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/Api/matricula of the component Matricula API. Executing manipulation can lead to improper authorization....Show more A weakness has been identified in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/Api/matricula of the component Matricula API. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited.Show less
CVE-2025-9687 1Portabilis 1I Educar Apr 29, 2026 Aug 30, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The atta...Show more A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited.Show less
CVE-2025-9609 1Portabilis 1I Educar Apr 29, 2026 Aug 29, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remote...Show more A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used.Show less
CVE-2025-58323 1Navercorp 1Mybox Oct 16, 2025 Aug 29, 2025 N/A· v4 7.7 HIGH· v3 N/A· v2 NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by executing arbitrary files due to improper privilege checks.
CVE-2025-9602 1Rockoa 1Rockoa Apr 29, 2026 Aug 29, 2025 2.1 LOW· v4 6.5 MEDIUM· v3 6.5 MEDIUM· v2 A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out r...Show more A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.Show less
CVE-2025-49407 - - Apr 28, 2026 Aug 28, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1.
CVE-2025-49388 - - Apr 23, 2026 Aug 28, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7.
CVE-2025-48348 - - Apr 23, 2026 Aug 28, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in chandrashekharsahu Site Offline site-offline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Offline: from n/a through <= 1....Show more Incorrect Privilege Assignment vulnerability in chandrashekharsahu Site Offline site-offline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Site Offline: from n/a through <= 1.5.7.Show less
CVE-2025-58322 1Navercorp 1Mybox Oct 16, 2025 Aug 28, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by invoking arbitrary DLLs due to improper privilege checks.
CVE-2025-57797 - - Aug 29, 2025 Aug 27, 2025 8.5 HIGH· v4 7.8 HIGH· v3 N/A· v2 Incorrect privilege assignment vulnerability exists in ScanSnap Manager installers versions prior to V6.5L61. If this vulnerability is exploited, an authenticated local attacker may escalate privileges and execute an arb...Show more Incorrect privilege assignment vulnerability exists in ScanSnap Manager installers versions prior to V6.5L61. If this vulnerability is exploited, an authenticated local attacker may escalate privileges and execute an arbitrary command.Show less
CVE-2025-50691 - - Aug 22, 2025 Aug 22, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can rea...Show more MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can read the daemon's key and use it to log in, leading to privilege escalation.Show less
CVE-2025-54735 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Privilege Escalation.This issue affects CubeWP: from n/a through <= 1.1.24.
CVE-2025-54049 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 9.9 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP custom-api-for-wp allows Privilege Escalation.This issue affects Custom API for WP: from n/a through <= 4.2.2.
CVE-2025-53580 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15...Show more Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15.6.9.Show less
CVE-2025-49422 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in themepassion Support Ticket support-ticket allows Privilege Escalation.This issue affects Support Ticket: from n/a through <= 1.9.
CVE-2025-48165 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Privilege Escalation.This issue affects DELUCKS SEO: from n/a through <= 2.6.0.
CVE-2025-48164 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Brainstorm Force SureDash suredash allows Privilege Escalation.This issue affects SureDash: from n/a through <= 1.0.3.
CVE-2025-48142 - - Apr 23, 2026 Aug 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects Bookify: from n/a through <= 1.0.9.
CVE-2025-9151 - - Apr 29, 2026 Aug 19, 2025 2.1 LOW· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in...Show more A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-5417 - - Aug 19, 2025 Aug 19, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the...Show more An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.Show less

Previous 1...192021...45 Next