The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
1,318 vulnerabilities with CWE-285
CVE-2026-39347
LOW
OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion
CVSS 2.7
CVE-2026-35610
HIGH
PolarLearn <=0-PRERELEASE-14 Account Management - Admin Bypass
CVSS 8.8
CVE-2026-5642
HIGH
Cyber-III Student-Management-System HTTP POST Request update.php improper authorization
CVSS 7.3
CVE-2026-5529
MEDIUM
Dromara lamp-cloud DefUserController pageUser improper authorization
CVSS 4.3
CVE-2026-33105
CRITICAL
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
CVSS 10.0
CVE-2026-32213
CRITICAL
Azure AI Foundry Elevation of Privilege Vulnerability
CVSS 10.0
CVE-2026-33950
CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
CVSS 9.4
CVE-2026-5326
MEDIUM
SourceCodester Leave Application System User Information index.php authorization
CVSS 5.3
CVE-2026-5246
MEDIUM
Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization
CVSS 5.6
CVE-2026-34222
HIGH
Open WebUI has Broken Access Control in Tool Valves
CVSS 7.7
CVE-2026-5283
MEDIUM
Google Chrome <146.0.7680.178 - Info Disclosure
CVSS 6.5
CVE-2026-34738
MEDIUM
AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter
CVSS 4.3
CVE-2026-34784
HIGH
Parse Server: Streaming file download bypasses afterFind file trigger authorization
CVSS 7.5
CVE-2026-33074
MEDIUM
Discourse Subscriptions Plugin - Higher-Tier Subscription Privilege Escalation
CVSS 5.3
CVE-2026-32619
MEDIUM
Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories
CVSS 4.3
CVE-2026-32615
MEDIUM
Discourse: Category group moderators can perform actions on topics in restricted categories without read access
CVSS 5.4
CVE-2026-4818
MEDIUM
Search Guard FLX 3.0.0-4.0.1 - Unauthorized Data Stream Management
CVSS 6.8
CVE-2026-1710
MEDIUM
WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax
CVSS 6.5
CVE-2026-32716
HIGH
SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking
CVSS 8.1
CVE-2026-30878
MEDIUM
baserCMS: Mail Form Acceptance Bypass via Public API
CVSS 5.3
CVE-2026-4248
HIGH
Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag
CVSS 8.0
CVE-2026-4990
HIGH
chatwoot Signup Endpoint login improper authorization
CVSS 7.3
CVE-2026-33954
MEDIUM
LinkAce discloses private notesto unauthorized authenticated users via the web link detail page
CVSS 6.5
CVE-2026-4958
LOW
OpenBMB XAgent WebSocket Endpoint replayer.py ReplayServer.send_data authorization
CVSS 3.1
CVE-2026-33735
HIGH
MyTube <1.8.69 Database Import - Application Takeover
CVSS 8.8
Details
Vulnerabilities
1,318
Exploit Likelihood
High