Incorrect-Authorization

CVE-2026-33519 is a critical vulnerability in Esri Portal for ArcGIS 11.4, 11.5, and 12.0, where incorrect authorization checks on developer credentials can lead to unauthorized privilege escalation on Windows, Linux, and Kubernetes deployments.

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes, potentially allowing client applications to gain access beyond their intended authorization level due to improper authorization checks.

CVE-2026-4639 is an Incorrect Authorization vulnerability in Galaxy Software Services' Vitals ESP, allowing authenticated remote attackers to perform administrative functions and escalate privileges.