CWE-266

Incorrect Privilege Assignment

Parent: CWE-269 - Improper Privilege Management

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

914 vulnerabilities with CWE-266
CVE-2025-10675 MEDIUM
fuyang_lipengjun platform 1.0 - Incorrect Privilege Assignment in AttributeController
CVSS 4.3
CVE-2025-10674 MEDIUM
fuyang_lipengjun platform 1.0 - Improper Authorization in AttributeCategoryController
CVSS 4.3
CVE-2025-10644 CRITICAL
Wondershare Repairit - Unauthenticated Authentication Bypass via SAS Token Permission Assignment
CVSS 9.4
CVE-2025-10608 MEDIUM
Portabilis i-educar < 2.10.0 - Incorrect Privilege Assignment in Enrollment History Endpoint
CVSS 6.3
CVE-2025-10422 MEDIUM
newbee-mall < 2023-10-09 - Improper Authorization via Order Status Handler
CVSS 4.3
CVE-2025-10390 MEDIUM
crmeb < 5.6.1 - Improper Authorization via UserAddressServices editAddress Function
CVSS 5.4
CVE-2025-10389 MEDIUM
crmeb < 5.6.1 - Incorrect Privilege Assignment in Administrator Password Handler
CVSS 5.4
CVE-2025-10384 MEDIUM
RuoYi < 4.8.1 - Improper Authorization via Role Handler
CVSS 5.4
CVE-2025-10374 HIGH
Shenzhen Sixun Business Management System 7/11 - Auth Bypass
CVSS 7.3
CVE-2025-10319 MEDIUM
JeecgBoot < 3.8.2 - Improper Authorization in Tenant Log Export
CVSS 4.3
CVE-2025-10318 MEDIUM
JeecgBoot < 3.8.2 - Improper Authorization via WebSocket Message Handler
CVSS 6.3
CVE-2025-10291 MEDIUM
linlinjava litemall < 1.8.0 - Improper Authorization via WxAftersaleController ID Parameter
CVSS 6.3
CVE-2025-10278 MEDIUM
ruoyi-vue-pro < 2025.09 - Improper Authorization via /crm/contact/transfer ids Parameter
CVSS 6.3
CVE-2025-10277 MEDIUM
yudao-cloud < 2025.09 - Improper Authorization via /crm/receivable/submit ID Parameter
CVSS 6.3
CVE-2025-10276 MEDIUM
ruoyi-vue-pro < 2025.09 - Improper Authorization via /crm/contract/transfer id/newOwnerUserId
CVSS 6.3
CVE-2025-10275 MEDIUM
yudao-cloud < 2025.09 - Improper Authorization via /crm/business/transfer ids/newOwnerUserId Manipulation
CVSS 6.3
CVE-2025-10247 MEDIUM
JEPaaS 7.2.8 - Incorrect Privilege Assignment in Filter Handler
CVSS 6.3
CVE-2025-10209 MEDIUM
Papermerge DMS <3.5.3 - Auth Bypass
CVSS 5.4
CVE-2025-10086 MEDIUM
fuyang_lipengjun platform 1.0.0 - Incorrect Privilege Assignment in AdPositionController
CVSS 6.3
CVE-2025-10084 MEDIUM
eladmin < 2.7 - Improper Authorization in SysLogController Error Log Detail Query
CVSS 4.3
CVE-2025-10073 MEDIUM
Portabilis i-educar < 2.10.0 - Broken Object Level Authorization via /module/Api/turma
CVSS 4.3
CVE-2025-10072 MEDIUM
Portabilis i-educar < 2.10.0 - Incorrect Privilege Assignment in /matricula/[ID_STUDENT]/enturmar/ Endpoint
CVSS 6.3
CVE-2025-10071 MEDIUM
Portabilis i-educar < 2.10.0 - Incorrect Privilege Assignment in /cancelar-enturmacao-em-lote/ Endpoint
CVSS 6.3
CVE-2025-10070 MEDIUM
Portabilis i-educar < 2.10.0 - Incorrect Privilege Assignment in /enturmacao-em-lote/ Endpoint
CVSS 6.3
CVE-2025-10014 LOW
eladmin < 2.7 - Improper Authorization via Email Address Handler
CVSS 3.1
Details
Vulnerabilities 914
Links
MITRE CWE Entry Search this CWE With Exploits