CWE-862

High likelihood

Missing Authorization

Parent: CWE-285 - Improper Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

8,213 vulnerabilities with CWE-862
CVE-2026-4590 LOW
kalcaddle kodbox loginSubmit API index.class.php cross-site request forgery
CVSS 3.1
CVE-2026-4261 HIGH
Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields
CVSS 8.8
CVE-2026-4127 MEDIUM
Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'speedup01_enabled' AJAX Action
CVSS 4.3
CVE-2026-3651 MEDIUM
Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action
CVSS 5.3
CVE-2026-3645 MEDIUM
Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action
CVSS 5.3
CVE-2026-3570 MEDIUM
Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter
CVSS 5.3
CVE-2026-3506 MEDIUM
WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
CVSS 5.3
CVE-2026-3335 MEDIUM
Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload
CVSS 5.3
CVE-2026-2941 HIGH
Linksy Search and Replace <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details
CVSS 8.8
CVE-2026-2720 MEDIUM
Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure
CVSS 6.5
CVE-2026-1935 MEDIUM
Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion
CVSS 4.3
CVE-2026-1253 MEDIUM
Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update
CVSS 4.3
CVE-2026-3567 MEDIUM
RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action
CVSS 5.3
CVE-2026-33427 HIGH
Discourse Authorization Page Displays Unvalidated Redirect Domain
CVSS 7.5
CVE-2026-33426 LOW
Discourse users can edit or synonymize hidden tags they can't see
CVSS 3.5
CVE-2026-33425 MEDIUM
Discourse has inferable private group membership or existence via exclude_groups parameter
CVSS 5.3
CVE-2026-33423 MEDIUM
Discourse staff can modify any user's group notification level
CVSS 4.3
CVE-2026-33177 MEDIUM
Statamic is missing authorization check on taxonomy term creation via fieldtype
CVSS 4.3
CVE-2026-22172 CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
CVSS 9.9
CVE-2026-3550 MEDIUM
RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions
CVSS 5.3
CVE-2026-4038 CRITICAL
Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call
CVSS 9.8
CVE-2026-30889 MEDIUM
Discourse has Unauthorized Post Data Exposure in discourse-user-notes
CVSS 4.9
CVE-2026-32817 CRITICAL
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
CVSS 9.1
CVE-2026-33408 LOW
Discourse has Improper Authorization in "Post Edits" Report For Moderators
CVSS 2.2
CVE-2026-32818 MEDIUM
Admidio is Missing Authorization on Forum Topic and Post Deletion
CVSS 6.5
Details
Vulnerabilities 8,213
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits