CVEs classified under CWE-648, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (47)
CVE-2026-41329 — CVSS 9.9 (critical): OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context…
CVE-2024-8785 — CVSS 9.8 (critical): In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an…
CVE-2024-11068 — CVSS 9.8 (critical): The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any…
CVE-2023-4972 — CVSS 9.8 (critical): Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users. This issue affects Digital…
CVE-2026-41225 — CVSS 9.1 (critical): A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create…
CVE-2026-41386 — CVSS 9.1 (critical): OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles…
CVE-2024-37018 — CVSS 9.1 (critical): The OpenDaylight 0.15.3 controller allows topology poisoning via API requests because an application can manipulate the path that is taken…
CVE-2023-29507 — CVSS 9.1 (critical): XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a…
CVE-2026-35669 — CVSS 8.8 (high): OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint…
CVE-2026-35663 — CVSS 8.8 (high): OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during…
CVE-2026-35639 — CVSS 8.8 (high): OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing…
CVE-2026-20126 — CVSS 8.8 (high): A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges…
CVE-2025-5997 — CVSS 8.8 (high): Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse. This issue affects PhishPro: before 7.5.4.2.
CVE-2025-7344 — CVSS 8.8 (high): The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their…
CVE-2023-28062 — CVSS 8.8 (high): Dell PPDM versions 19.12, 19.11 and 19.10, contain an improper access control vulnerability. A remote authenticated malicious user with low…
CVE-2022-26323: Incorrect Use of Privileged APIs vulnerability in OpenText™ Operations Bridge Manager, OpenText™ Operations Bridge Suite…
CVE-2026-54424 — CVSS 8.4 (high): An Incorrect Use of Privileged APIs vulnerability in Unity Parsec on Windows hosts leads to a potential Elevation of Privilege. This issue…
CVE-2020-7927 — CVSS 8.1 (high): Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role…
CVE-2026-35625 — CVSS 7.8 (high): OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve…
CVE-2024-32008 — CVSS 7.8 (high): A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to a…
CVE-2025-23375 — CVSS 7.8 (high): Dell PowerProtect Data Manager Reporting, version(s) 19.17, contain(s) an Incorrect Use of Privileged APIs vulnerability. A low privileged…
CVE-2024-22042 — CVSS 7.8 (high): A vulnerability has been identified in Unicam FX (All versions). The windows installer agent used in affected product contains incorrect…
CVE-2019-10216 — CVSS 7.8 (high): In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass…
CVE-2019-3839 — CVSS 7.8 (high): It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially…
CVE-2026-11877 — CVSS 7.5 (high): An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager. This issue affects Access Manager…
CVE-2023-4993 — CVSS 7.5 (high): Incorrect Use of Privileged APIs vulnerability in Utarit Information Technologies SoliPay Mobile App allows Collect Data as Provided by…
CVE-2023-6151 — CVSS 7.5 (high): Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue…
CVE-2023-6150 — CVSS 7.5 (high): Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users. This issue…
CVE-2023-6522 — CVSS 7.2 (high): Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects…
CVE-2025-1161 — CVSS 7.1 (high): Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege…
CVE-2022-20956 — CVSS 7.1 (high): A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker…
CVE-2022-24073 — CVSS 7.1 (high): The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users…
CVE-2022-24821 — CVSS 6.8 (medium): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global…
CVE-2026-22922 — CVSS 6.5 (medium): Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions…
CVE-2025-54767 — CVSS 6.5 (medium): An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user.
CVE-2024-46978 — CVSS 6.5 (medium): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing…
CVE-2024-53007 — CVSS 6.4 (medium): Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an…
CVE-2019-3838 — CVSS 5.5 (medium): It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted…
CVE-2025-54768 — CVSS 5.3 (medium): An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web…
CVE-2025-54766 — CVSS 5.3 (medium): An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web…
CVE-2025-54765 — CVSS 5.3 (medium): An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web…
CVE-2025-0589 — CVSS 5.3 (medium): In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated…
CVE-2022-20965 — CVSS 4.3 (medium): A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, remote attacker to…
CVE-2022-24071 — CVSS 4.3 (medium): A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to…