The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
1,213 vulnerabilities with CWE-285
CVE-2026-35610
HIGH
PolarLearn has a Server Action Admin Bypass in Account Management Actions
CVSS 8.8
CVE-2026-5642
HIGH
Cyber-III Student-Management-System HTTP POST Request update.php improper authorization
CVSS 7.3
CVE-2026-5529
MEDIUM
Dromara lamp-cloud DefUserController pageUser improper authorization
CVSS 4.3
CVE-2026-33105
CRITICAL
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
CVSS 10.0
CVE-2026-32213
CRITICAL
Azure AI Foundry Elevation of Privilege Vulnerability
CVSS 10.0
CVE-2026-33950
CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
CVSS 9.4
CVE-2026-5326
MEDIUM
SourceCodester Leave Application System User Information index.php authorization
CVSS 5.3
CVE-2026-5246
MEDIUM
Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization
CVSS 5.6
CVE-2026-34222
HIGH
Open WebUI has Broken Access Control in Tool Valves
CVSS 7.7
CVE-2026-5283
MEDIUM
Google Chrome <146.0.7680.178 - Info Disclosure
CVSS 6.5
CVE-2026-34738
MEDIUM
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
CVSS 4.3
CVE-2026-34784
HIGH
Parse Server: Streaming file download bypasses afterFind file trigger authorization
CVSS 7.5
CVE-2026-33074
MEDIUM
Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions
CVSS 5.3
CVE-2026-32619
MEDIUM
Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories
CVSS 4.3
CVE-2026-32615
MEDIUM
Discourse: Category group moderators can perform actions on topics in restricted categories without read access
CVSS 5.4
CVE-2026-4818
MEDIUM
Some management operations on data streams are not properly restricted when user does not have the necessary privileges
CVSS 6.8
CVE-2026-1710
MEDIUM
WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax
CVSS 6.5
CVE-2026-32716
HIGH
SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking
CVSS 8.1
CVE-2026-30878
MEDIUM
baserCMS: Mail Form Acceptance Bypass via Public API
CVSS 5.3
CVE-2026-4248
HIGH
Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag
CVSS 8.0
CVE-2026-4990
HIGH
chatwoot Signup Endpoint login improper authorization
CVSS 7.3
CVE-2026-33954
MEDIUM
LinkAce discloses private notesto unauthorized authenticated users via the web link detail page
CVSS 6.5
CVE-2026-4958
LOW
OpenBMB XAgent WebSocket Endpoint replayer.py ReplayServer.send_data authorization
CVSS 3.1
CVE-2026-33735
HIGH
MyTube has an Improper Access Control that Allows Complete Application Takeover
CVSS 8.8
CVE-2026-21724
MEDIUM
Missing Protected-field Authorization in Provisioning Contact Points API
CVSS 5.4
Details
Vulnerabilities
1,213
Exploit Likelihood
High