CVEリスト - 高リスク・悪用確認済み脆弱性 ATT&CK の技法:Privilege Escalation / Missing Authorization

MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.

CVSS スコア
表示中 120 (ほかにも結果があります)
«« 先頭 « 前へ 1 ページ目 次へ »
CVE 説明 CVSS 最大値 EPSS(%) 公開 更新
CVE-2026-44771 SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of the application. 4.3 該当なし 2026-07-13 2026-07-13
CVE-2026-44770 SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application. 4.3 該当なし 2026-07-13 2026-07-13
CVE-2026-62328 9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware. 8.7 該当なし 2026-07-13 2026-07-13
CVE-2026-62194 OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate privileges and perform unauthorized actions when the feature is reachable. 8.7 該当なし 2026-07-13 2026-07-13
CVE-2026-62191 OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip requester authorization and execute privileged operations when the affected feature is enabled and reachable. 7.1 該当なし 2026-07-13 2026-07-13
CVE-2026-62186 OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to bypass admin authorization policies and execute restricted operations. 7.2 該当なし 2026-07-13 2026-07-13
CVE-2026-58410 ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another family’s `familyId` and access records outside their own family scope. The backend trusts the attacker-controlled `familyId` and loads the corresponding family entity by ID without verifying that the requeste 7.1 該当なし 2026-07-13 2026-07-13
CVE-2026-58408 ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information (PII) of every Person/Family record in the database, without performing any feature-level or object-level authorization check beyond the coarse "has any admin permission" gate inherited from the legacy p 6.5 該当なし 2026-07-13 2026-07-13
CVE-2026-9824 Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676 4.3 該当なし 2026-07-13 2026-07-13
CVE-2026-9820 Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671 3.8 該当なし 2026-07-13 2026-07-13
CVE-2026-14934 A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover. This vulnerability was patched on 10 May 2026, and no customer action is needed. 9.4 該当なし 2026-07-13 2026-07-13
CVE-2026-61985 Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7. 5.3 0.29% 2026-07-13 2026-07-13
CVE-2026-61983 Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30. 5.3 0.29% 2026-07-13 2026-07-13
CVE-2026-61968 Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 3.1.2. 5.4 0.29% 2026-07-13 2026-07-13
CVE-2026-61958 Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: from n/a through <= 3.0.17. 5.4 0.29% 2026-07-13 2026-07-13
CVE-2026-61952 Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through <= 1.8.21. 4.9 0.33% 2026-07-13 2026-07-13
CVE-2026-59523 Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.11.11. 6.5 0.27% 2026-07-13 2026-07-13
CVE-2026-57812 Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.12.4. 6.5 0.33% 2026-07-13 2026-07-13
CVE-2026-57797 Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1. 4.3 0.33% 2026-07-13 2026-07-13
CVE-2026-57782 Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through <= 1.2.0. 5.3 0.29% 2026-07-13 2026-07-13
«« 先頭 « 前へ 1 / 2 次へ »
cvelogic Threat Intelligence