目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-266 特权授予不正确 类漏洞列表 398

CWE-266 特权授予不正确 类弱点 398 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-266属于权限分配错误漏洞,指软件将特权错误地授予特定主体,导致其获得非预期的控制范围。攻击者通常利用此缺陷,通过身份伪造或会话劫持等手段,以低权限身份获取高权限操作能力,从而执行未授权行为。开发者应避免在代码中硬编码权限逻辑,采用基于角色的访问控制(RBAC)机制,并在每次权限检查时动态验证主体身份与权限的匹配性,确保最小权限原则。

MITRE CWE 官方描述
CWE:CWE-266 不正确的权限分配 (Incorrect Privilege Assignment) 英文:产品将权限错误地分配给特定主体 (actor),从而为该主体创建了非预期的控制范围 (sphere of control)。
常见影响 (1)
Access ControlGain Privileges or Assume Identity
A user can access restricted functionality and/or sensitive information that may include administrative functionality and user accounts.
缓解措施 (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
代码示例 (2)
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
The following example demonstrates the weakness.
AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privileged code goes here, for example: System.loadLibrary("awt"); return null; // nothing to return }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2025-53209 WordPress Masteriyo LMS PRO 2.20.0 及以下版本权限提升漏洞 — Masteriyo LMS PRO 9.8 Critical2026-06-02
CVE-2026-42680 WordPress Contest Gallery Pro 29.0.1 权限提升漏洞 — Contest Gallery Pro 9.8 Critical2026-06-01
CVE-2026-48879 WordPress AIWU插件<=1.4.17 提权漏洞 — AIWU 9.8 Critical2026-06-01
CVE-2026-35671 phpMyFAQ 安全漏洞 — phpMyFAQ 8.8 High2026-05-28
CVE-2026-9795 Keycloak 安全漏洞 — Red Hat Build of Keycloak 7.3 High2026-05-28
CVE-2026-42758 WordPress plugin WebinarIgnition 安全漏洞 — WebinarIgnition 9.8 Critical2026-05-27
CVE-2026-42731 WordPress plugin miniorange otp verification 安全漏洞 — miniorange otp verification 9.8 Critical2026-05-27
CVE-2026-45216 WordPress plugin Smart Manager 安全漏洞 — Smart Manager 8.8 High2026-05-25
CVE-2025-32747 Dell PowerFlex Manager 安全漏洞 — PowerFlex Manager (Appliance) 5.3 Medium2026-05-22
CVE-2026-48172 LiteSpeed User-End cPanel Plugin 安全漏洞 — cPanel Plugin--2026-05-21
CVE-2026-22315 Mesalvo Meona Client Launcher Component和Mesalvo Meona Server Component 安全漏洞 — Meona Client Launcher Component 7.2 High2026-05-20
CVE-2026-22069 OPPO O+ Connect 安全漏洞 — O+ Connect 7.3 High2026-05-19
CVE-2025-68420 Comarch ERP Optima 安全漏洞 — ERP Optima--2026-05-14
CVE-2026-35062 F5 BIG-IP 安全漏洞 — BIG-IP 6.5 Medium2026-05-13
CVE-2026-44997 OpenClaw 安全漏洞 — OpenClaw 4.3 Medium2026-05-11
CVE-2026-8148 NAVER MYBOX Explorer for Windows 安全漏洞 — NAVER MYBOX Explorer 7.8AIHighAI2026-05-08
CVE-2026-43510 get.gov 安全漏洞 — manage.get.gov 7.6 High2026-05-07
CVE-2026-43535 OpenClaw 安全漏洞 — OpenClaw 6.8 Medium2026-05-05
CVE-2026-42368 GeoVision LPC2011和GeoVision LPC2211 安全漏洞 — GV-LPC2011/LPC2211 9.9 Critical2026-05-04
CVE-2026-22337 WordPress plugin Directorist Social Login 安全漏洞 — Directorist Social Login 9.8 Critical2026-04-27
CVE-2026-33519 Esri Portal For ArcGIS 安全漏洞 — Portal for ArcGIS 9.8 Critical2026-04-21
CVE-2026-33518 Esri Portal For ArcGIS 安全漏洞 — Portal for ArcGIS 9.8 Critical2026-04-21
CVE-2026-40869 Decidim 安全漏洞 — decidim 7.5 High2026-04-21
CVE-2026-27668 Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary 安全漏洞 — RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) 8.8 High2026-04-14
CVE-2026-27102 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.6 Medium2026-04-08
CVE-2026-32916 OpenClaw 安全漏洞 — OpenClaw 9.4 Critical2026-03-31
CVE-2026-32922 OpenClaw 安全漏洞 — OpenClaw 9.9 Critical2026-03-29
CVE-2026-3121 Keycloak 安全漏洞 — Red Hat build of Keycloak 26.4 6.5 Medium2026-03-26
CVE-2026-1712 HYPR Server 安全漏洞 — Server 8.8 -2026-03-25
CVE-2026-32530 WordPress plugin Creator LMS 安全漏洞 — Creator LMS 8.8 High2026-03-25

CWE-266(特权授予不正确) 是常见的弱点类别,本平台收录该类弱点关联的 398 条 CVE 漏洞。