CWE-862 授权机制缺失 类弱点 5572 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-862 属于缺失授权漏洞,指产品在用户访问资源或执行操作时未进行权限校验。攻击者通常通过直接修改请求参数或构造恶意 URL,绕过前端限制以访问未授权数据或执行敏感操作。开发者应避免仅依赖前端验证,需在服务端对每个请求实施严格的身份认证与权限检查,确保用户仅能访问其被授权的资源,从而从根本上消除越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-39816 | Apache NiFi TinkerpopClientService权限缺失漏洞 — Apache NiFi | - | - | 2026-05-08 |
| CVE-2026-44125 | GinAv2 缺少授权漏洞 — Secure Email Gateway | - | - | 2026-05-08 |
| CVE-2026-8077 | CashDro 3 Web管理面板弱凭证漏洞 — CashDro 3 Administration Panel | - | - | 2026-05-08 |
| CVE-2026-41498 | Kimai Team API对象级授权缺失 — kimai | 3.3 | Low | 2026-05-08 |
| CVE-2026-27416 | WordPress PDF Poster插件<=2.4.1访问控制漏洞 — PDF Poster | 5.3 | Medium | 2026-05-07 |
| CVE-2025-66105 | WordPress Bus Ticket Booking < 5.6.8 访问控制漏洞 — Bus Ticket Booking with Seat Reservation | 5.3 | Medium | 2026-05-07 |
| CVE-2026-25436 | WordPress Royal Elementor Addons <1.7.1053 访问控制缺陷漏洞 — Royal Elementor Addons | 5.3 | Medium | 2026-05-07 |
| CVE-2026-6214 | Forminator <= 1.53.0 计划表单导出越权漏洞 — Forminator Forms – Contact Form, Payment Form & Custom Form Builder | 6.5 | Medium | 2026-05-07 |
| CVE-2026-41658 | Admidio 库存模块缺失授权允许删除 — admidio | 6.5 | Medium | 2026-05-07 |
| CVE-2026-4807 | Appointment Booking Calendar 1.6.10.6 未授权任意预约查看、修改和删除漏洞 — Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | 6.5 | Medium | 2026-05-07 |
| CVE-2026-6222 | Forminator Forms <= 1.51.1 敏感信息泄露漏洞 — Forminator Forms – Contact Form, Payment Form & Custom Form Builder | 5.3 | Medium | 2026-05-07 |
| CVE-2026-43583 | OpenClaw 2026.4.10至2026.4.14群策略上下文丢失漏洞 — OpenClaw | 5.3 | Medium | 2026-05-06 |
| CVE-2026-43579 | OpenClaw <2026.4.10 Nostr资料变更路由访问控制不足漏洞 — OpenClaw | 6.5 | Medium | 2026-05-06 |
| CVE-2026-43580 | OpenClaw < 2026.4.10 浏览器交互导航守卫不完整漏洞 — OpenClaw | 7.7 | High | 2026-05-06 |
| CVE-2026-43577 | OpenClaw < 2026.4.9 任意文件读取漏洞 — OpenClaw | 6.5 | Medium | 2026-05-06 |
| CVE-2026-43575 | OpenClaw 沙箱 noVNC 辅助路由认证绕过漏洞 — OpenClaw | 9.8 | Critical | 2026-05-06 |
| CVE-2026-20189 | Cisco Prime Infrastructure 信息泄露漏洞 — Cisco Prime Infrastructure | 4.3 | Medium | 2026-05-06 |
| CVE-2026-20193 | Cisco Identity Services Engine 身份验证绕过漏洞 — Cisco Identity Services Engine Software | 4.3 | Medium | 2026-05-06 |
| CVE-2026-2306 | Ninja Tables <= 5.2.6 任意表格创建漏洞 — Ninja Tables – Easy Data Table Builder | 4.3 | Medium | 2026-05-06 |
| CVE-2026-5753 | All-in-One WP Migration Unlimited 扩展 2.83 认证绕过漏洞 — All-in-One WP Migration Unlimited Extension | 6.5 | Medium | 2026-05-06 |
| CVE-2026-3208 | Mercado Pago payments for WooCommerce <= 8.7.11 未授权PIX二维码泄露 — Mercado Pago payments for WooCommerce | 5.3 | Medium | 2026-05-06 |
| CVE-2026-33420 | Vaultwarden Manager角色用户可枚举所有集合漏洞 — vaultwarden | - | - | 2026-05-05 |
| CVE-2026-43573 | OpenClaw <2026.4.10 现有会话浏览器交互路由SSRF绕过漏洞 — OpenClaw | 7.7 | High | 2026-05-05 |
| CVE-2026-43572 | OpenClaw 2026.4.10-2026.4.14 Microsoft Teams SSO令牌缺失发送者授权漏洞 — OpenClaw | 5.3 | Medium | 2026-05-05 |
| CVE-2026-43568 | OpenClaw 2026.4.5-2026.4.10 越权漏洞 — OpenClaw | 6.5 | Medium | 2026-05-05 |
| CVE-2026-43567 | OpenClaw < 2026.4.10 路径遍历漏洞 — OpenClaw | 6.5 | Medium | 2026-05-05 |
| CVE-2026-42439 | OpenClaw 2026.4.10 浏览器标签页 SSRF绕过漏洞 — OpenClaw | 8.5 | High | 2026-05-05 |
| CVE-2026-42436 | OpenClaw <2026.4.14 内部页面内容泄露漏洞 — OpenClaw | 7.7 | High | 2026-05-05 |
| CVE-2026-42433 | OpenClaw <2026.4.10 未授权矩阵配置文件持久化访问漏洞 — OpenClaw | 6.5 | Medium | 2026-05-05 |
| CVE-2026-3601 | User Registration & Membership <=5.1.4 越权修改页面内容漏洞 — User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 4.3 | Medium | 2026-05-05 |
CWE-862(授权机制缺失) 是常见的弱点类别,本平台收录该类弱点关联的 5572 条 CVE 漏洞。