CWE-276: CWE-276

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain control of the G5DFR component and tamper with device ou...

A vsftpd misconfiguration vulnerability in H3C wireless devices allows anonymous FTP uploads to be owned by the root user. Remote attackers can exploi...

Apache DolphinScheduler versions before 3.2.2 have incorrect default permissions that could allow unauthorized access to sensitive functionality or da...

CVE-2014-7210 is a privilege escalation vulnerability in pdns-backend-mysql where Debian maintainer scripts grant excessive database permissions to th...

This vulnerability allows a local attacker on managed ChromeOS devices to bypass extension management controls, disable existing extensions, and acces...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on Windows systems running the vulnerable SecureConnector agent. ...

This CVE describes a permissions bypass vulnerability in Apple's Shortcuts app across multiple macOS and iPadOS versions. It allows malicious shortcut...

This CVE describes a macOS permissions vulnerability where malicious applications can enable iCloud storage features without user consent. This affect...

An integer overflow vulnerability in macOS allows local users to elevate privileges by exploiting improper input validation. This affects macOS Ventur...

A sandbox escape vulnerability in Apple Mail allows malicious email content to bypass the 'Block All Remote Content' security setting. This could enab...

CVE-2025-25535 is an HTTP response manipulation vulnerability in SCRIPT CASE v1.0.002 Build7 that allows remote attackers to escalate privileges by se...

Insecure permissions in PipeCD v0.49 allow attackers to access the service account's authentication token, enabling privilege escalation within the Pi...

CVE-2025-27682 is an insecure log permissions vulnerability in Vasion Print (formerly PrinterLogic) that allows local users to read sensitive log file...

This vulnerability in Vasion Print (formerly PrinterLogic) allows unprivileged users to create symbolic links that can interact with files they should...

Spotipy versions before 2.25.1 create cache files with overly permissive 644 permissions, exposing Spotify authentication tokens to other users or pro...

A privilege escalation vulnerability in MaysWind ezBookkeeping 0.7.0 allows remote attackers to gain elevated privileges through manipulation of the t...

An unauthenticated remote attacker can exploit the /auth/register initialization interface in Trojan versions 2.0.0 through 2.15.3 to escalate privile...

This CVE describes a macOS permissions vulnerability where applications can access removable storage volumes without user consent. It affects macOS Ve...

This vulnerability allows unauthenticated attackers to remotely configure the DMZ (Demilitarized Zone) service on affected D-Link routers via a crafte...

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be executed with root privileges, allowing attackers to g...

COMFAST CF-WR630AX routers version 2.7.0.2 contain a hardcoded root password in /etc/shadow, allowing attackers to gain complete administrative contro...

This vulnerability allows attackers to log in as root on affected WAVLINK routers using a hardcoded password stored in /etc/shadow. Anyone using WAVLI...

OpenVidReview 1.0 has an authentication bypass vulnerability that allows unauthenticated users to upload files via the /upload route. This affects all...

CVE-2018-9467 is an incorrect web origin determination vulnerability in Android's UriTest.java that allows attackers to bypass security decisions with...

AVSCMS v8.2.0 uses weak default credentials for the Administrator account, allowing attackers to gain administrative access to the CMS. This affects a...

CVE-2022-30355 is an account takeover vulnerability in OvalEdge data governance platform where authenticated users can modify other users' profiles vi...

This vulnerability allows remote attackers to perform local file inclusion via the PassageAutoServer.php page in Automatic Systems Maintenance SlimLan...

AWS Amplify CLI versions before 12.10.1 incorrectly configure IAM role trust policies when removing the Authentication component, leaving sts:AssumeRo...

This CVE-2023-46773 is a permission management vulnerability in Huawei's PMS (Package Management Service) module that allows local attackers to escala...

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by exploiting insecure permissions in the file sharing ...

Concrete CMS versions before 8.5.13 and 9.x before 9.2.2 create directories with insecure default permissions (0777), allowing unauthorized access. Th...

This vulnerability allows unauthenticated attackers to bypass password reset controls in EMSigner v2.8.7, enabling them to access any user account inc...

This vulnerability in TSplus Remote Access allows attackers to modify theme directories with 'Everyone' Full Control permissions, potentially enabling...

This vulnerability in Samsung Exynos modem chips allows malicious applications to query RCS (Rich Communication Services) capabilities without proper ...

SoLive Android app versions 1.6.14 through 1.6.20 have an exposed component that allows attackers to modify SharedPreference files. This can lead to v...

CVE-2023-26918 is a privilege escalation vulnerability in Diasoft File Replication Pro 7.5.0 where the installation directory has overly permissive 'E...

CVE-2021-34182 is a critical vulnerability in ttyd v1.6.3 that allows attackers to execute arbitrary code due to insecure default configuration permis...

CVE-2022-28932 is a critical vulnerability in D-Link DSL-G2452DG routers where insecure permissions allow attackers to bypass authentication and gain ...

CVE-2022-27919 is a critical remote code execution vulnerability in Gradle Enterprise that allows attackers to execute arbitrary code on affected syst...

This vulnerability in debian-edu-config versions before 2.12.16 sets insecure permissions for user web shares (~/public_html), allowing local users to...

eliteCMS v1.0 has an insecure permissions vulnerability in manage_uploads.php that allows attackers to bypass authentication and access administrative...

Laundry Booking Management System 1.0 and previous versions contain a remote code execution vulnerability in profile.php via the 'image' parameter. At...

A kernel crash vulnerability in Huawei smartphones allows local attackers to escalate privileges. This affects Huawei smartphone users running vulnera...

Nagios XI versions before 5.8.5 have incorrect permissions on migrate.php, allowing unauthorized access. This vulnerability affects Nagios XI monitori...

CVE-2021-36365 is a critical privilege escalation vulnerability in Nagios XI where the repairmysql.sh script has incorrect file permissions. This allo...

CVE-2021-27193 is a critical vulnerability in Netop Vision Pro's API that allows remote unauthenticated attackers to read and write files with SYSTEM ...

The SeTracker2 app for TK-Star Q90 Junior GPS watches requests excessive Android permissions (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, READ_CONT...

CVE-2020-13452 is an insecure permissions vulnerability in Gotenberg where the tini process manager file is writable by the gotenberg user, allowing a...

This vulnerability allows a local attacker to execute malicious code on Mitsubishi Electric FA engineering software when installed in non-default fold...

CVE-2025-49084 allows attackers with administrative access to the Absolute Secure Access management console to overwrite policy rules without proper a...