CWE-284: Improper Access Control

This vulnerability in Oracle Solaris allows a high-privileged attacker with local access to compromise the system through a utility component. It requ...

This vulnerability allows attackers to bypass access controls in Samsung's FactoryCamera app, enabling unauthorized access to files with system-level ...

This vulnerability allows attackers to bypass access controls in U-Boot bootloader's volatile memory, potentially executing arbitrary code during syst...

CVE-2025-43862 is an access control vulnerability in Dify that allows normal users to access and modify APP orchestration features that should be rest...

This vulnerability in Oracle BI Publisher allows authenticated attackers with low privileges to access, modify, or delete sensitive data, and cause pa...

This vulnerability allows attackers to bypass authentication in IceCMS by entering any arbitrary values as username and password in the admin login en...

Swissphone DiCal-RED 4009 devices have an anonymous FTP service that allows remote attackers to read almost the entire file system without authenticat...

Dell XtremIO X2 XMS versions before 6-4-1.11 have an improper access control vulnerability where remote read-only users can perform add/delete QoS pol...

This vulnerability allows a malicious Nextcloud server to modify or delete VCards in the system addressbook on a trusted partner server. It affects Ne...

This vulnerability allows unauthenticated attackers to download arbitrary files from Weintek cMT-3072XH2 HMI devices via the download_wb.cgi component...

FileRise versions before 3.3.0 have an unauthenticated file read vulnerability where anyone can access files in the /uploads directory without authent...

A critical IDOR vulnerability in Spree Commerce allows guest users to manipulate address ID parameters during checkout, bypassing ownership validation...

This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to bypass access controls in the selectDept function, enabling them to access sensiti...

An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly acce...

An unauthenticated information disclosure vulnerability in Newgen OmniDocs allows remote attackers to access the /omnidocs/GetListofCabinet API endpoi...

This vulnerability in Gitea allows users who previously uploaded attachments to a repository to delete those attachments even after losing access to t...

This vulnerability in Oracle VM VirtualBox allows an unauthenticated attacker on the same physical network segment to potentially take complete contro...

This vulnerability in Oracle VM VirtualBox allows a high-privileged attacker with local access to the host system to potentially compromise the virtua...

This vulnerability allows unauthorized users to access documents attached to any item in GLPI (tickets, assets, etc.). If the public FAQ feature is en...

This vulnerability allows unauthorized access to system functions that control installed applications. Attackers can start, stop, or delete applicatio...

CVE-2026-21889 is an improper access control vulnerability in Weblate where screenshot images were served directly by the HTTP server without authenti...

This vulnerability in Windows HTTP.sys allows authenticated attackers to escalate privileges over a network connection. It affects Windows systems run...

This vulnerability allows an unauthorized attacker on an adjacent network to execute arbitrary code on Windows systems running vulnerable Windows Depl...

This vulnerability allows unauthenticated attackers to access administrative endpoints in DEV Systemtechnik GmbH's DEV 7113 RF over Fiber Distribution...

This vulnerability allows attackers to change the Administrator password and escalate privileges on Comtech EF Data CDM-625/CDM-625A satellite modems ...

CVE-2025-66735 is an access control vulnerability in youlai-boot V2.21.1 where the getRoleForm function lacks proper permission checks. This allows no...

This vulnerability allows unauthorized attackers to access other users' uploaded files through the /api/v1/conversations/*/files API in GT Edge AI Pla...

This vulnerability allows unauthorized attackers to access other users' message history with AI agents through an incorrect access control flaw in the...

CVE-2025-63387 is an insecure permissions vulnerability in Dify v1.9.1 that allows unauthenticated attackers to access the /console/api/system-feature...

Dynatrace OneAgent versions before 1.325.47 automatically retry failed network share access attempts using all available user tokens, enabling NTLM re...

CVE-2025-65779 is an improper access control vulnerability in Wekan that allows unauthenticated attackers to modify the sort order of boards. This aff...

This vulnerability allows unauthenticated attackers to create arbitrary user accounts in usememos memos v0.25.2 by exploiting incorrect access control...

This vulnerability allows attackers to execute de-authentication attacks against Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway ...

This vulnerability allows attackers to bypass access controls in the ApiPayController component of platform v1.0.0, potentially exposing sensitive inf...

This vulnerability in the ApiOrderService.java component of platform v1.0.0 allows attackers to bypass access controls and retrieve sensitive informat...

This vulnerability allows attackers to bypass access controls in the orderService.queryObject component of platform v1.0.0, enabling unauthorized acce...

This vulnerability in XWiki Jetty package (XJetty) exposes a context that allows static access to any file in the webapp/ folder. Attackers can potent...

An incorrect access control vulnerability in youlai-boot v2.21.1 allows attackers to bypass authorization checks in the getUserFormData function, enab...

An incorrect access control vulnerability in Desktop Alert PingAlert Application Server versions 6.1.0.11 to 6.1.1.2 allows unauthorized remote attack...

An incorrect access control vulnerability in Desktop Alert PingAlert Application Server versions 6.1.0.11 to 6.1.1.2 allows attackers to access and di...

This vulnerability allows unauthenticated remote attackers to read PHP module source code due to webserver misconfiguration. It affects systems runnin...

This vulnerability allows attackers to bypass authentication and access sensitive API endpoints in SIMICAM, KEVIEW, and ASECAM software. Any organizat...

Apollo Router Core versions 1.61.12-rc.0 and below and 2.8.1-rc.0 and below have an access control bypass vulnerability. When schema elements with acc...

A logic bug in Cursor AI code editor versions 1.7.23 and below allows malicious agents to bypass file protection mechanisms. Attackers who achieve pro...

This CVE describes a privacy bypass vulnerability in Apple operating systems where applications can circumvent certain privacy preferences, potentiall...

This vulnerability allows sandboxed applications on Apple operating systems to observe system-wide network connections, potentially exposing sensitive...

The Italy Wireless Mini Router WIRELESS-N 300M stores the administrator password insecurely, allowing unauthorized access to the device's administrati...

This vulnerability allows attackers to bypass authentication in the 2nd Line Android app by brute-forcing user tokens, since the server only validates...

The AG Life Logger Android app exposes credentials in network traffic and uses predictable verification codes, allowing attackers to intercept authent...

The TalkTalk 3.3.6 Android app contains improper access control vulnerabilities in multiple API endpoints. Attackers can modify request parameters to ...