CWE-863 · Incorrect Authorization
3115 CVEs classified under CWE-863 (Incorrect Authorization). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-48286 | Critical | 10.0 | 2026-06-30 | Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code… |
CVE-2026-48772 | Critical | 10.0 | 2026-06-19 | ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <ad… |
CVE-2026-48303 | Critical | 10.0 | 2026-06-09 | Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code… |
CVE-2026-44330 | Critical | 10.0 | 2026-05-27 | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2… |
CVE-2026-46595 | Critical | 10.0 | 2026-05-22 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key… |
CVE-2026-33105 | Critical | 10.0 | 2026-04-03 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. |
CVE-2026-32213 | Critical | 10.0 | 2026-04-03 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-54253 | Critical | 10.0 | 2025-08-05 | Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacke… |
CVE-2025-26853 | Critical | 10.0 | 2025-03-20 | DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema. |
CVE-2023-4617 | Critical | 10.0 | 2024-12-19 | Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other… |
CVE-2023-23924 | Critical | 10.0 | 2023-02-01 | Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This ma… |
CVE-2022-24783 | Critical | 10.0 | 2022-03-25 | Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicio… |
CVE-2022-21141 | Critical | 10.0 | 2022-02-18 | MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perfo… |
CVE-2021-38503 | Critical | 10.0 | 2021-12-08 | The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the… |
CVE-2021-37705 | Critical | 10.0 | 2021-08-13 | OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authe… |
CVE-2020-11844 | Critical | 10.0 | 2020-05-29 | Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Management. Versions 2018.05 to… |
CVE-2018-18815 | Critical | 10.0 | 2019-03-07 | The REST API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for Active… |
CVE-2026-48781 | Critical | 9.9 | 2026-06-17 | Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a sessio… |
CVE-2026-45552 | Critical | 9.9 | 2026-06-10 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.be… |
CVE-2026-41283 | Critical | 9.9 | 2026-06-04 | OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead… |