Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-285 (授权机制不恰当) — Vulnerability Class 967

967 vulnerabilities classified as CWE-285 (授权机制不恰当). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-34222 Open WebUI has Broken Access Control in Tool Valves — open-webui 7.7 High2026-04-01
CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter — AVideo 4.3 Medium2026-03-31
CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization — parse-server 7.5 -2026-03-31
CVE-2026-32619 Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories — discourse 5.4 -2026-03-31
CVE-2026-32615 Discourse: Category group moderators can perform actions on topics in restricted categories without read access — discourse 7.1 -2026-03-31
CVE-2026-4818 Some management operations on data streams are not properly restricted when user does not have the necessary privileges — Search Guard FLX 6.8 Medium2026-03-31
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax — WooPayments: Integrated WooCommerce Payments 6.5 Medium2026-03-31
CVE-2026-32716 SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking — scitokens 8.1 High2026-03-31
CVE-2026-30878 baserCMS: Mail Form Acceptance Bypass via Public API — basercms 5.3 Medium2026-03-31
CVE-2026-4248 Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag — Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 8.0 High2026-03-27
CVE-2026-4990 chatwoot Signup Endpoint login improper authorization — chatwoot 7.3 High2026-03-27
CVE-2026-33954 LinkAce discloses private notesto unauthorized authenticated users via the web link detail page — LinkAce 6.5 Medium2026-03-27
CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover — MyTube 8.8 -2026-03-27
CVE-2026-34056 OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data — openemr 7.7 High2026-03-25
CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup — openemr 5.4 Medium2026-03-25
CVE-2026-33222 NATS JetStream has an authorization bypass through its Management API — nats-server 4.9 Medium2026-03-25
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions — cms 4.3 -2026-03-24
CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation — vikunja 7.5 High2026-03-24
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect — vikunja 4.4 -2026-03-24
CVE-2026-4617 SourceCodester Patients Waiting Area Queue Management System Patient Check-In api_patient_checkin.php ValidateToken improper authorization — Patients Waiting Area Queue Management System 7.3 High2026-03-24
CVE-2026-32300 Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information — connect-cms 8.1 High2026-03-23
CVE-2025-10731 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Sensitive Information Exposure to Data Export — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema 5.3 Medium2026-03-23
CVE-2025-10736 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation — ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema 6.5 Medium2026-03-23
CVE-2026-4548 mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization — next-saas-stripe-starter 6.3 Medium2026-03-22
CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update — UiPress lite | Effortless custom dashboards, admin themes and pages 4.3 Medium2026-03-21
CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path — grpc-go 9.1 Critical2026-03-20
CVE-2026-31836 Mass Assignment Privilege Escalation in Checkmate — Checkmate 8.1 High2026-03-20
CVE-2026-33125 Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts — frigate 7.1 High2026-03-20
CVE-2026-32692 Unauthorized update of out-of-scope Vault secrets — Juju 7.6 High2026-03-18
CVE-2026-21886 OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities — opencti 6.5 Medium2026-03-17

Vulnerabilities classified as CWE-285 (授权机制不恰当) represent 967 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.