Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2026-2026 Improper Access Control Allows Denial of Service — Agent 6.1 Medium2026-02-13
CVE-2026-25931 vscode-spell-checker has a workspace-trust bypass Code Execution — vscode-spell-checker 7.8 High2026-02-09
CVE-2020-37160 SprintWork 2.3.1 - Local Privilege Escalation — SprintWork 6.2 Medium2026-02-06
CVE-2025-15333 Tanium addressed an information disclosure vulnerability in Threat Response. — Threat Response 4.3 Medium2026-02-05
CVE-2025-15334 Tanium addressed an information disclosure vulnerability in Threat Response. — Threat Response 4.3 Medium2026-02-05
CVE-2025-15335 Tanium addressed an information disclosure vulnerability in Threat Response. — Threat Response 4.3 Medium2026-02-05
CVE-2025-15341 Tanium addressed an incorrect default permissions vulnerability in Benchmark. — Benchmark 6.5 Medium2026-02-05
CVE-2025-15338 Tanium addressed an incorrect default permissions vulnerability in Partner Integration. — Partner Integration 6.5 Medium2026-02-05
CVE-2025-15340 Tanium addressed an incorrect default permissions vulnerability in Comply. — Comply 6.5 Medium2026-02-05
CVE-2025-15339 Tanium addressed an incorrect default permissions vulnerability in Discover. — Discover 6.5 Medium2026-02-05
CVE-2025-15336 Tanium addressed an incorrect default permissions vulnerability in Performance. — Performance 6.5 Medium2026-02-05
CVE-2025-15337 Tanium addressed an incorrect default permissions vulnerability in Patch. — Patch 6.5 Medium2026-02-05
CVE-2025-15343 Tanium addressed an incorrect default permissions vulnerability in Enforce. — Enforce 6.5 Medium2026-02-05
CVE-2020-37129 Memu Play 7.1.3 - Insecure Folder Permissions — Memu Play 9.8 Critical2026-02-05
CVE-2025-10314 Malicious Code Execution Vulnerability in Mitsubishi Small-Capacity UPS Shutdown Software FREQSHIP-mini for Windows — FREQSHIP-mini for Windows 8.8 High2026-02-05
CVE-2026-24414 Icinga for Windows certificate can have too-open permissions — icinga-powershell-framework 5.5AIMediumAI2026-01-29
CVE-2026-24413 Icinga has insecure permission of %ProgramData%\icinga2\var on Windows — icinga2 5.5AIMediumAI2026-01-29
CVE-2025-13905 Schneider Electric EcoStruxure Process Expert 安全漏洞 — EcoStruxure™ Process Expert 7.8AIHighAI2026-01-29
CVE-2026-0705 Acronis Cloud Manager 安全漏洞 — Acronis Cloud Manager 7.8AIHighAI2026-01-27
CVE-2025-15523 TCC Bypass via Inherited Permissions in Bundled Interpreter in Inkscape.app — Inkscape 6.6AIMediumAI2026-01-22
CVE-2021-47852 Rockstar Service - Insecure File Permissions — Rockstar Games Launcher 8.8 High2026-01-21
CVE-2021-47761 MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation — MilleGPG5 7.8 High2026-01-15
CVE-2025-64724 Arduino IDE for macOS has Insecure File Permissions — arduino-ide 7.3AIHighAI2025-12-18
CVE-2025-64723 Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection — arduino-ide 8.0AIHighAI2025-12-18
CVE-2025-13155 Lenovo Baiying Client 安全漏洞 — Baiying Client 7.8 High2025-12-10
CVE-2025-59030 Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor — Recursor 7.5 High2025-12-09
CVE-2025-57850 Codeready-ws: privilege escalation via excessive /etc/passwd permissions — Red Hat OpenShift Dev Spaces 6.4 Medium2025-12-02
CVE-2025-59485 Intercom MaLion Security Point 安全漏洞 — Security Point (Windows) of MaLion 7.3AIHighAI2025-11-25
CVE-2025-54866 Wazuh installation fails to protected authd.pass on Windows — wazuh 7.1 -2025-11-21
CVE-2025-58097 LogStare Collector 安全漏洞 — LogStare Collector (for Windows) 8.8 -2025-11-21

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.