Incorrect Authorization

Overview org.apache.activemq:artemis-openwire-protocol is a package for activemq. Affected versions of this package are vulnerable to Incorrect Authorization in the OpenWire protocol when an authenticated user with the createDurableQueue permission but without the createAddress permission attempt...

CVE-2026-30244

Plane (open‑source project management tool) has a vulnerability prior to version 1.2.2 where unauthenticated actors can enumerate workspace members and extract emails, user roles, and internal identifiers due to misconfigured Django REST Framework permissions. The issue has been patched in 1.2.2,...

host-based-vulnerability-assessments

Host-Based Vulnerability Assessments Overview This reposi...

PT-2026-7314

Name of the Vulnerable Software and Affected Versions Intel System Firmware Update Utility SysFwUpdt versions prior to 16.0.12 Description A misconfiguration in permission assignments for critical resources within the System Firmware Update Utility SysFwUpdt for Intel server boards and systems ma...

CVE-2025-10314

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files EXE or DLLs in the installation directory with specially...

Skipper code issue vulnerabilities

Skipper is an open-source HTTP router and reverse proxy developed by Zalando SE for service combinations. Versions of Skipper prior to 0.24.0 had code vulnerabilities due to improper permission configuration, which could allow users to create routes to access internal services...

WorkDo HRM SaaS HR and Payroll Tool 安全漏洞

WorkDo HRM SaaS HR and Payroll Tool is a human resource management software from WorkDo, Inc. A security vulnerability exists in WorkDo HRM SaaS HR and Payroll Tool version 8.1, which stems from improperly set permissions and could result in an authenticated user creating leave or resignation...

EUVD-2014-3429

Malware in sbrugna...

EUVD-2023-31834

Malicious code in bioql PyPI...

CVE-2025-1139

IBM Edge Application Manager 4.5 could allow a local user to read or modify resources that they should not have authorization to access due to incorrect permission assignment...

The vulnerability of HashiCorp’s Vault and Vault Enterprise storage platforms, which involve improper configuration of permissions for critical resources, allows attackers to bypass authentication processes.

The vulnerability of the HashiCorp Vault and Vault Enterprise archiving platforms relates to the improper assignment of permissions for critical resources. Exploiting this vulnerability could allow a malicious actor to bypass authentication processes...

Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons. This module has a permission of "view booking" and "view booking contact" which allows you to...

CVE-2023-28123

A permission misconfiguration in UI Desktop for Windows Version 0.59.1.71 and earlier could allow an user to hijack VPN credentials while UID VPN is starting.This vulnerability is fixed in Version 0.62.3 and later...

CVE-2010-3713

rss.php in UseBB before 1.0.11 does not properly handle forum configurations in which a user has the view permission but not the read permission, which allows remote attackers to bypass intended access restrictions by reading a forum feed in combination with a topic feed...

CVE-2024-41974

CVE-2024-41974 affects WAGO BACNet service property modification due to permission misconfiguration across multiple WAGO devices (e.g., PFC100/200, CC100, Edge Controller, TP600 variants). The vulnerability allows a low-privileged remote attacker to modify BACNet service properties, enabling a De...

CVE-2024-41974 WAGO: BACNet Service Property Modification Due to Permission Misconfiguration in Multiple Devices

A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resources which may lead to a DoS limited to BACNet communication...

The vulnerability of the fs.statfs function in the Node.js software platform allows a malicious actor to gain unauthorized access to protected information.

The vulnerability of the fs.statfs function in the Node.js software platform is related to the improper assignment of permissions for the critical resource. Exploiting this vulnerability can allow an attacker, operating remotely, to gain unauthorized access to protected information using the...

TECNO com.transsion.aivoiceassistant 安全漏洞

TECNO com.transsion.aivoiceassistant is a mobile application from TECNO China. A security vulnerability exists in TECNO com.transsion.aivoiceassistant that stems from the presence of improperly controlled permissions, which can lead to the launch of any unexported component...

The vulnerability of the mod_jk module of the Apache Tomcat JK Connector allows attackers to disclose sensitive information or cause service failures.

The vulnerability of the JkShmFile directive in the modjk module of the Apache Tomcat JK Connector is related to the incorrect use of standard permissions. Exploiting this vulnerability can allow an attacker to disclose information about the modjk module or cause service failures...

SUSE CVE-2024-8118

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...