CWE-281: Improper Preservation of Permissions — known CVE vulnerabilities
CVEs classified under CWE-281 (Improper Preservation of Permissions), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-36532 — CVSS 10.0 (critical): Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's…
CVE-2024-56973 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Alvaria, Inc Unified IP Unified Director before v.7.2SP2 allows a remote attacker to execute…
CVE-2024-46622 — CVSS 9.8 (critical): An Escalation of Privilege security vulnerability was found in SecureAge Security Suite software 7.0.x before 7.0.38, 7.1.x before 7.1.11…
CVE-2024-55507 — CVSS 9.8 (critical): An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.
CVE-2024-54465 — CVSS 9.8 (critical): A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate…
CVE-2024-41650 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-41649 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-41648 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-41646 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-41645 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2024-41644 — CVSS 9.8 (critical): Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute…
CVE-2023-47463 — CVSS 9.8 (critical): Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a…
CVE-2020-36070 — CVSS 9.8 (critical): Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php…
CVE-2021-33990 — CVSS 9.8 (critical): Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes…
CVE-2023-28668 — CVSS 9.8 (critical): Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.
CVE-2021-29971 — CVSS 9.8 (critical): If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port…
CVE-2020-18890 — CVSS 9.8 (critical): Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via…
CVE-2018-4115 — CVSS 9.8 (critical): An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is…
CVE-2017-8589 — CVSS 9.8 (critical): Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…
CVE-2025-43698 — CVSS 9.1 (critical): Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for…
CVE-2024-46310 — CVSS 9.1 (critical): Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via…
CVE-2024-54880 — CVSS 9.1 (critical): SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to register accounts…
CVE-2024-54879 — CVSS 9.1 (critical): SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members…
CVE-2023-34034 — CVSS 9.1 (critical): Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and…
CVE-2020-10083 — CVSS 9.1 (critical): GitLab 12.7 through 12.8.1 has Insecure Permissions. Under certain conditions involving groups, project authorization changes were not…
CVE-2026-44832 — CVSS 8.8 (high): Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate…
CVE-2025-34298 — CVSS 8.8 (high): Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user…
CVE-2025-25711 — CVSS 8.8 (high): An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the…
CVE-2024-53355 — CVSS 8.8 (high): Multiple incorrect access control issues in EasyVirt DCScope <= 8.6.0 and CO2Scope <= 1.3.0 allows remote authenticated attackers, with low…
CVE-2023-42228 — CVSS 8.8 (high): Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can edit their own ACL…
CVE-2024-54818 — CVSS 8.8 (high): SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list.
CVE-2024-50930 — CVSS 8.8 (high): An issue in Silicon Labs Z-Wave Series 500 v6.84.0 allows attackers to execute arbitrary code.
CVE-2024-50920 — CVSS 8.8 (high): Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted…
CVE-2023-41939 — CVSS 8.8 (high): Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users…
CVE-2023-34672 — CVSS 8.8 (high): Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting…
CVE-2023-28161 — CVSS 8.8 (high): If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that…
CVE-2023-31923 — CVSS 8.8 (high): Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker…
CVE-2022-38473 — CVSS 8.8 (high): A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)…
CVE-2019-14841 — CVSS 8.8 (high): A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header. This flaw allows an…
CVE-2022-38577 — CVSS 8.8 (high): ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to…
CVE-2022-22472 — CVSS 8.8 (high): IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat…
CVE-2021-45008 — CVSS 8.8 (high): Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the…
CVE-2021-32465 — CVSS 8.8 (high): An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a…
CVE-2021-3495 — CVSS 8.8 (high): An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker…
CVE-2020-2025 — CVSS 8.8 (high): Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious…
CVE-2019-13727 — CVSS 8.8 (high): Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass same origin policy…
CVE-2019-18457 — CVSS 8.8 (high): An issue was discovered in GitLab Community and Enterprise Edition 11.8 through 12.4 when handling Security tokens.. It has Insecure…
CVE-2019-13682 — CVSS 8.8 (high): Insufficient policy enforcement in external protocol handling in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass…
CVE-2017-8590 — CVSS 8.8 (high): Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold…