Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-280 (不充分权限或特权的处理不恰当) — Vulnerability Class 108

108 vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当). AI Chinese analysis included.

CWE-280 represents a critical logic flaw where software fails to adequately manage insufficient permissions or privileges during resource access. This weakness typically arises when applications assume elevated rights are always available, leading to unexpected code paths that may leave the system in an invalid or vulnerable state. Attackers exploit this by manipulating user contexts or environment variables to trigger privilege checks that fail silently or incorrectly, potentially bypassing security controls or causing denial of service. To mitigate this risk, developers must implement robust error handling that explicitly validates access rights before executing sensitive operations. By ensuring the application gracefully degrades or denies access when privileges are lacking, rather than proceeding with incomplete or unsafe actions, teams can prevent unauthorized data exposure and maintain system integrity against privilege-related attacks.

MITRE CWE Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Common Consequences (1)
OtherOther, Alter Execution Logic
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …
CVE IDTitleCVSSSeverityPublished
CVE-2026-6805 Vulnerability on Cryptobox external sharing feature — Cryptobox 5.9AIMediumAI2026-05-07
CVE-2026-20448 MediaTek Chipsets 安全漏洞 — MediaTek chipset 6.7 -2026-05-04
CVE-2026-27910 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2026-04-14
CVE-2026-24096 Insufficient permission validation on multiple REST API Quick Setup endpoints — Checkmk 8.8AIHighAI2026-04-01
CVE-2026-2123 Privilege escalation vulnerability in Operations Agent — Operations Agent 7.8 -2026-03-31
CVE-2026-3190 Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api — Red Hat build of Keycloak 26.4 4.3 Medium2026-03-26
CVE-2026-21736 GPU DDK - Insufficient permission check in PhysmemWrapExtMem() when write attribute support enabled — Graphics DDK 7.1AIHighAI2026-03-09
CVE-2026-1772 Hitachi Energy RTU500 安全漏洞 — RTU500 series CMU firmware 5.3AIMediumAI2026-02-24
CVE-2026-23857 Dell Update Package Framework 安全漏洞 — Update Package 8.2 High2026-02-12
CVE-2025-67848 Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access. 8.1 High2026-02-03
CVE-2026-20817 Windows Error Reporting Service Elevation of Privilege Vulnerability — Windows 10 Version 21H2 7.8 High2026-01-13
CVE-2025-64997 Insufficient permission validation when showing agent information — Checkmk 6.5AIMediumAI2025-12-18
CVE-2025-58770 TCG2 TPM RT Not Locked Issue — AptioV 7.8AIHighAI2025-12-12
CVE-2025-58121 Insufficient permission validation on multiple REST API endpoints — Checkmk 8.8AIHighAI2025-11-18
CVE-2025-58122 Insufficient permission validation when configuring notification parameters — Checkmk 8.1AIHighAI2025-11-18
CVE-2025-58410 GPU DDK - Multiple calls into PhysmemGEMPrimeExport can inherit write access permission for an existing read-only dma_buf import PMR — Graphics DDK 7.8AIHighAI2025-11-17
CVE-2025-62510 FileRise insecure folder visibility via name-based mapping and incomplete ACL checks — FileRise 8.1 High2025-10-20
CVE-2025-62509 FileRise improper ownership/permission validation allowed cross-tenant file operations — FileRise 8.1 High2025-10-20
CVE-2025-62176 Mastadon streaming server allows OAuth clients without the `read` scope to subscribe to public channels — mastodon 4.3 Medium2025-10-13
CVE-2025-45376 Dell Repository Manager 安全漏洞 — Dell Repository Manager (DRM) 7.5 High2025-09-29
CVE-2025-58457 Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands — Apache ZooKeeper 8.8AIHighAI2025-09-24
CVE-2025-59040 Tuleap backlog item representations do not verify the permissions of the child trackers — tuleap 4.3 Medium2025-09-18
CVE-2025-50170 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2025-08-12
CVE-2025-6573 GPU DDK - RGXFW_CTL.pui8FWScratchBuf Leak/Overwrite — Graphics DDK 5.5 -2025-08-08
CVE-2025-8109 GPU DDK - GPU shader shared memory corrupted using ptrace to disrupt GPU operation — Graphics DDK 7.1AIHighAI2025-08-04
CVE-2025-49731 Microsoft Teams Elevation of Privilege Vulnerability — Microsoft Teams for Android 3.1 Low2025-07-08
CVE-2025-27025 Improper File Access in Infinera G42 — G42 8.8 High2025-07-02
CVE-2025-27024 Improper File Access in Infinera G42 — G42 6.5 Medium2025-07-02
CVE-2025-46708 GPU DDK - Guest VM can delay the FW and GPU from processing workloads from other VMs — Graphics DDK 5.5AIMediumAI2025-06-27
CVE-2025-22256 Fortinet FortiPAM 安全漏洞 — FortiPAM 6.0 Medium2025-06-10

Vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当) represent 108 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.