Skip to main content

CWE-280

Improper Handling of Insufficient Permissions or Privileges

132 CVEs Avg CVSS 6.3 MITRE
5
CRITICAL
52
HIGH
63
MEDIUM
12
LOW
10
POC
0
KEV

Monthly

CVE-2026-62393 MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-45196 HIGH This Week

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). There is no public exploit identified at time of analysis, and its EPSS probability is low (0.14%).

Privilege Escalation Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54262 PyPI MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-54261 PyPI MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54259 PyPI MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-20463 MEDIUM This Month

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation Mediatek Chipset
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-45195 HIGH This Week

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Host VM submit crafted commands to the GPU firmware, coercing the firmware into reading or writing host memory outside the range the host kernel is permitted to touch. Affecting Graphics DDK 1.18, 23.2, 24.2, 25.1-25.3 and 26.1 RTM, the flaw enables out-of-bounds host memory access (information disclosure and corruption) through the firmware's elevated memory privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the local code-execution impact (CVSS 7.8) makes it a meaningful local privilege/boundary-bypass concern.

Information Disclosure Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-41566 CRITICAL Act Now

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

Path Traversal Apache
NVD VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-40371 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Dynamics 365 (on-premises) allows a remote authenticated attacker with low-level access to gain elevated privileges across the network due to improper handling of insufficient permissions. With a CVSS score of 8.8 and full impact on confidentiality, integrity, and availability, this issue is significant for organizations running on-premises Dynamics 365 deployments. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-11764 LOW PATCH Monitor

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.

Information Disclosure Pretix
NVD
CVSS 4.0
3.6
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). There is no public exploit identified at time of analysis, and its EPSS probability is low (0.14%).

Privilege Escalation Graphics Ddk
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

Local privilege escalation in the Modem component across 80+ MediaTek chipsets allows an attacker already holding System-level access to bypass permission enforcement (CWE-280) and escalate further within the device. The vulnerability is confirmed by MediaTek in their July 2026 Product Security Bulletin (Patch ID: MOLY01716533, Issue ID: MSV-6309) and affects a broad swath of chipsets spanning low-end to flagship tiers. No user interaction is required for exploitation, but the prerequisite of System-level access significantly constrains the realistic attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation Mediatek Chipset
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege handling in Imagination Technologies' Graphics DDK GPU driver lets privileged kernel code inside a Host VM submit crafted commands to the GPU firmware, coercing the firmware into reading or writing host memory outside the range the host kernel is permitted to touch. Affecting Graphics DDK 1.18, 23.2, 24.2, 25.1-25.3 and 26.1 RTM, the flaw enables out-of-bounds host memory access (information disclosure and corruption) through the firmware's elevated memory privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the local code-execution impact (CVSS 7.8) makes it a meaningful local privilege/boundary-bypass concern.

Information Disclosure Graphics Ddk
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

Path Traversal Apache
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Dynamics 365 (on-premises) allows a remote authenticated attacker with low-level access to gain elevated privileges across the network due to improper handling of insufficient permissions. With a CVSS score of 8.8 and full impact on confidentiality, integrity, and availability, this issue is significant for organizations running on-premises Dynamics 365 deployments. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Information Disclosure Microsoft
NVD VulDB
EPSS 0% CVSS 3.6
LOW PATCH Monitor

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.

Information Disclosure Pretix
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy