Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-862 (授权机制缺失) — Vulnerability Class 5524

5524 vulnerabilities classified as CWE-862 (授权机制缺失). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-39485 WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control vulnerability — Youtube Embed Plus 8.2AIHighAI2026-04-08
CVE-2026-39477 WordPress CartFlows plugin <= 2.2.3 - Broken Access Control vulnerability — CartFlows 8.1AIHighAI2026-04-08
CVE-2026-39476 WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability — User Feedback 8.2AIHighAI2026-04-08
CVE-2026-3477 PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter — PZ Frontend Manager 5.3 Medium2026-04-08
CVE-2026-3480 WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter — WP Blockade – Visual Page Builder 6.5 Medium2026-04-08
CVE-2026-4299 MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API — MainWP Child Reports 5.3 Medium2026-04-08
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update — LTL Freight Quotes – R+L Carriers Edition 5.3 Medium2026-04-08
CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action — Users manager – PN 9.8 Critical2026-04-08
CVE-2026-2263 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation — Hustle – Email Marketing, Lead Generation, Optins, Popups 5.3 Medium2026-04-07
CVE-2026-4065 Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation — Smart Slider 3 5.4 Medium2026-04-07
CVE-2026-39401 Privilege Escalation via update_event Job Output in Cronicle — Cronicle 8.1AIHighAI2026-04-07
CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections — payload-puck 9.4 Critical2026-04-07
CVE-2026-39360 RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration — rustfs 6.5AIMediumAI2026-04-07
CVE-2026-39355 Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control) — genealogy 10.0 Critical2026-04-07
CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit — frappe 8.8AIHighAI2026-04-07
CVE-2026-39348 OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments — orangehrm 6.5 -2026-04-07
CVE-2026-22680 OpenViking < 0.3.3 Missing Authorization via Task Polling — OpenViking 5.3 Medium2026-04-07
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE — Windmill CE (Community Edition) 8.8 High2026-04-07
CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check — filebrowser 6.5AIMediumAI2026-04-07
CVE-2025-14944 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage — BackupBliss – Backup & Migration with Free Cloud Storage 5.3 Medium2026-04-07
CVE-2026-4292 Privilege abuse in ModelAdmin.list_editable — Django 9.1AICriticalAI2026-04-07
CVE-2026-4277 Privilege abuse in GenericInlineModelAdmin — Django 9.8AICriticalAI2026-04-07
CVE-2026-33866 Authorization Bypass in MLflow AJAX Endpoint — Mlflow 4.3AIMediumAI2026-04-07
CVE-2026-34903 WordPress Ocean Extra plugin <= 2.5.3 - Broken Access Control vulnerability — Ocean Extra 5.4 Medium2026-04-07
CVE-2026-34899 WordPress LTL Freight Quotes – Worldwide Express Edition plugin <= 5.2.1 - Broken Access Control vulnerability — LTL Freight Quotes – Worldwide Express Edition 5.3 Medium2026-04-07
CVE-2026-35448 WWBN AVideo Provides Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php — AVideo 3.7 Low2026-04-06
CVE-2026-35182 Missing Authorization Privilege Escalation — BraveCMS-2.0 8.8 High2026-04-06
CVE-2026-35179 WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php — AVideo 5.3 Medium2026-04-06
CVE-2026-35175 Ajenti has an authorization bypass during custom package installation — ajenti 6.5AIMediumAI2026-04-06
CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization — dgraph 10.0 Critical2026-04-06

Vulnerabilities classified as CWE-862 (授权机制缺失) represent 5524 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.