CWE-648

65 CVEs classified under CWE-648. Browse by severity and year.

Top CVEs for CWE-648
CVESeverityScorePublishedSummary
CVE-2026-41329Critical9.92026-04-21OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner…
CVE-2024-8785Critical9.82024-12-02In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in…
CVE-2024-11068Critical9.82024-11-11The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by lev…
CVE-2023-4972Critical9.82023-09-14Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users. This issue affects Digital Yepas: before 1.0.1.
CVE-2022-2023Critical9.82022-06-20Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.
CVE-2019-14813Critical9.82019-09-06A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scr…
CVE-2019-1010178Critical9.82019-07-24Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/component…
CVE-2026-41225Critical9.12026-05-13A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that…
CVE-2026-41386Critical9.12026-04-28OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pa…
CVE-2024-37018Critical9.12024-05-31The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken by discovery packets.
CVE-2023-29507Critical9.12023-04-16XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to…
CVE-2025-2311Critical9.02025-03-20Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Te…
CVE-2026-35669High8.82026-04-10OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtim…
CVE-2026-35663High8.82026-04-10OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. A…
CVE-2026-35639High8.82026-04-09OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve p…
CVE-2026-20126High8.82026-02-25A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying ope…
CVE-2025-54769High8.82025-07-29An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This ca…
CVE-2025-5997High8.82025-07-28Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse. This issue affects PhishPro: before 7.5.4.2.
CVE-2025-7344High8.82025-07-21The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to adminis…
CVE-2023-28062High8.82023-04-11 Dell PPDM versions 19.12, 19.11 and 19.10, contain an improper access control vulnerability. A remote authenticated malicious user with low privileges could p…