Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-V6RP-6X79-XM3W

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/userId can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-24T11:16:34Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/userId can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-v6rp-6x79-xm3w",
  "modified": "2026-05-26T13:30:33Z",
  "published": "2026-05-26T13:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JPressProjects/jpress/issues/194"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/813253"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365339"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365339/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V72X-M64H-3QFM

Vulnerability from github – Published: 2024-11-18 03:30 – Updated: 2024-11-18 03:30
VLAI
Details

A vulnerability, which was classified as critical, has been found in Altenergy Power Control Software up to 20241108. This issue affects some unknown processing of the file /index.php/display/database/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T02:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in Altenergy Power Control Software up to 20241108. This issue affects some unknown processing of the file /index.php/display/database/. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-v72x-m64h-3qfm",
  "modified": "2024-11-18T03:30:29Z",
  "published": "2024-11-18T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/HYO%3BY)v%3B4%5C)jLCjp/Altenergy%20Power%20Control%20Software%20Information%20Disclosure%20Vulnerability_database.pdf"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.284915"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.284915"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.439804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V77Q-XXPR-RX9G

Vulnerability from github – Published: 2026-05-26 21:32 – Updated: 2026-05-26 21:32
VLAI
Details

A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T21:16:45Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component.",
  "id": "GHSA-v77q-xxpr-rx9g",
  "modified": "2026-05-26T21:32:01Z",
  "published": "2026-05-26T21:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jeecgboot/JeecgBoot/issues/9597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jeecgboot/JeecgBoot/issues/9597#issuecomment-4385501959"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jeecgboot/JeecgBoot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/817892"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365636"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/365636/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V7XW-8RMC-QV9F

Vulnerability from github – Published: 2025-03-16 00:35 – Updated: 2025-03-16 00:35
VLAI
Details

A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-15T23:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-v7xw-8rmc-qv9f",
  "modified": "2025-03-16T00:35:23Z",
  "published": "2025-03-16T00:35:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2334"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.299799"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.299799"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.505688"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/18732182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V89H-G8W6-9CRX

Vulnerability from github – Published: 2026-06-06 18:30 – Updated: 2026-06-06 18:30
VLAI
Details

A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-06T18:16:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.",
  "id": "GHSA-v89h-g8w6-9crx",
  "modified": "2026-06-06T18:30:22Z",
  "published": "2026-06-06T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11441"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theonedev/onedev/releases/tag/v15.0.6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11441"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/822957"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369021"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/369021/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19994142"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V8PP-H3J5-65XX

Vulnerability from github – Published: 2025-09-26 00:31 – Updated: 2025-09-26 00:31
VLAI
Details

A security flaw has been discovered in JeecgBoot up to 3.8.2. The affected element is an unknown function of the file /sys/user/exportXls of the component Filter Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-25T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in JeecgBoot up to 3.8.2. The affected element is an unknown function of the file /sys/user/exportXls of the component Filter Handler. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-v8pp-h3j5-65xx",
  "modified": "2025-09-26T00:31:19Z",
  "published": "2025-09-26T00:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10978"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.325849"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.325849"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.653336"
    },
    {
      "type": "WEB",
      "url": "https://www.cnblogs.com/aibot/p/19063352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V9R4-JMP3-CH5F

Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-09 00:00
VLAI
Details

Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-05T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment in GitHub repository hestiacp/hestiacp prior to 1.6.6.",
  "id": "GHSA-v9r4-jmp3-ch5f",
  "modified": "2022-08-09T00:00:22Z",
  "published": "2022-08-06T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/704aacc9-edff-4da5-90a6-4adf8dbf36fe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCP7-8J9C-M23X

Vulnerability from github – Published: 2026-07-06 00:30 – Updated: 2026-07-06 00:30
VLAI
Details

A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T00:16:54Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in SourceCodester Onlne Examination \u0026 Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.",
  "id": "GHSA-vcp7-8j9c-m23x",
  "modified": "2026-07-06T00:30:23Z",
  "published": "2026-07-06T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuiifornet/A033/blob/main/OE-LMS-IDOR-ajax_enroll.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-14778"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/850695"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376368"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376368/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VCVQ-XVXV-H8F5

Vulnerability from github – Published: 2026-01-15 15:31 – Updated: 2026-01-15 15:31
VLAI
Details

An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T13:16:05Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.",
  "id": "GHSA-vcvq-xvxv-h8f5",
  "modified": "2026-01-15T15:31:17Z",
  "published": "2026-01-15T15:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22907"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF4W-GG7R-X8MW

Vulnerability from github – Published: 2025-04-04 03:30 – Updated: 2025-04-04 03:30
VLAI
Details

A vulnerability classified as critical has been found in ageerle ruoyi-ai up to 2.0.0. Affected is an unknown function of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysNoticeController.java. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is 6382e177bf90cc56ff70521842409e35c50df32d. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T03:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical has been found in ageerle ruoyi-ai up to 2.0.0. Affected is an unknown function of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/controller/system/SysNoticeController.java. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is 6382e177bf90cc56ff70521842409e35c50df32d. It is recommended to upgrade the affected component.",
  "id": "GHSA-vf4w-gg7r-x8mw",
  "modified": "2025-04-04T03:30:21Z",
  "published": "2025-04-04T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3202"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ageerle/ruoyi-ai/issues/44#issue-2957771318"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ageerle/ruoyi-ai/commit/6382e177bf90cc56ff70521842409e35c50df32d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tr0e/CVE_Hunter/blob/main/ruoyi-ai/ruoyi-ai_UnauthorizedAccess_02.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ageerle/ruoyi-ai/releases/tag/v2.0.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.303156"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.303156"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.545866"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.