CWE-284: Improper Access Control

This vulnerability allows users with revoked access to private Gitea repositories to still view issue titles and repository names through previously s...

This vulnerability in Turms IM Server allows any authenticated user to query the online status, device information, and login timestamps of arbitrary ...

This vulnerability allows attackers with low-level privileges in usememos memos v0.25.2 to modify or delete identity providers, potentially leading to...

This vulnerability allows authenticated users in RomM (ROM Manager) to delete collections belonging to other users by sending a DELETE request to the ...

This vulnerability allows attackers with low-level privileges in OpenCode Systems USSD Gateway to bypass access controls and dump user records contain...

This vulnerability allows unauthorized attackers to create and delete arbitrary user accounts in bridgetech VBC Server & Element Manager firmware vers...

This vulnerability in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges by ext...

BusyBox wget versions through 1.3.7 improperly accept raw CR/LF and C0 control characters in HTTP request targets, allowing attackers to split request...

This CVE describes an arbitrary file download vulnerability in GuoMinJim PersonManage software. Attackers can download arbitrary files from the server...

An improper access control vulnerability in Devolutions Server allows users with 'View-only' permissions to access sensitive nested password fields th...

An authentication bypass vulnerability in BAE SOCET GXP Job Status Service allows unauthorized users to abort jobs or access job information without p...

This vulnerability in Oracle Financial Services Revenue Management and Billing allows authenticated attackers with low privileges to access sensitive ...

This vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows authenticated attackers with low privileges to access se...

LibreTime 3.0.0-alpha.10 and earlier versions have a broken access control vulnerability where users with DJ role can access analytics data they shoul...

This vulnerability allows authenticated remote attackers to delete arbitrary files on Aruba AOS-8 Controller/Mobility Conductor systems via the comman...

This vulnerability allows authenticated remote attackers to delete arbitrary files on Aruba AOS-8 Controller/Mobility Conductor systems through the co...

A low-privileged user in Splunk Enterprise or Splunk Cloud Platform can access sensitive search results by guessing the unique Search ID (SID) of admi...

An improper access control vulnerability in FormCms v0.5.4 allows unauthenticated attackers to access historical schema data through the /api/schemas/...

DASAN GPON ONU H660WM routers with firmware version H660WMR210825 have improper access control in default settings, allowing attackers to access sensi...

This vulnerability allows attackers to bypass access controls on DASAN GPON ONU H660WM devices, exposing sensitive system information through the /cgi...

This vulnerability allows attackers to bypass authentication in Rebuild v3.7.7 by sending a specially crafted GET request to the /commons/ip-location ...

The Lotus Cars Android app version 1.2.8 contains an exported component (PushDeepLinkActivity) that can be accessed without authentication via ADB or ...

This vulnerability allows a privileged user with local access to potentially escalate privileges through improper access control in Intel PCIe Switch ...

This vulnerability in OpenOrange Business Framework 1.15.5 allows authenticated users to write to the installation directory, enabling DLL hijacking d...

Vedo Suite 2024.17 has an authentication bypass vulnerability where unauthenticated attackers can obtain high-privilege JWT tokens by sending empty PO...

CVE-2025-51627 is an improper access control vulnerability in CaricaVerbale component of Agenzia Impresa Eccobook v2.81.1 that allows authenticated at...

This vulnerability in CPUID cpuz.sys driver allows attackers to execute arbitrary code with kernel privileges by exploiting unvalidated DeviceIoContro...

FIRSTNUM JC21A-04 devices have SSH enabled by default with hardcoded root/admin credentials that cannot be disabled via the GUI. This allows attackers...

This vulnerability allows authenticated attackers in Agorum core open software to escalate their privileges to Administrator level, gaining unauthoriz...

This vulnerability allows attackers to send specially crafted Bluetooth Low Energy (BLE) LL_Length_Req packets to Texas Instruments CC2652RB devices, ...

The Intelbras RX1500 Router firmware versions up to v2.2.17 have incorrect access control in the FirmwareUpload and GetFirmwareValidation functions. T...

This vulnerability allows unauthorized attackers to bypass access controls in M2Soft CROWNIX Report & ERS software, granting them Administrator accoun...

This vulnerability allows attackers to change the administrator password on EnGenius ENH500 access points without knowing the current password. Attack...

This vulnerability in Cisco IOS XE Wireless Controller Software allows authenticated lobby ambassador users to delete arbitrary user accounts, includi...

CVE-2025-28367 is a directory traversal vulnerability in mojoPortal's BetterImageGallery API Controller that allows attackers to read sensitive files ...

This CVE describes an improper access control vulnerability in Dify, an open-source LLM app development platform. Normal users can modify app names, d...

This vulnerability in Oracle iSupplier Portal allows authenticated attackers with low privileges to access sensitive data via HTTP. It affects Oracle ...

This vulnerability allows an authenticated attacker to discover file paths within restricted directories on Windows NTFS systems, even without permiss...

This vulnerability allows any authenticated user without admin permissions to trigger the restart API in Appsmith, causing a denial of service through...

Systemic Risk Value versions up to 2.8.0 have an improper access control vulnerability in the file download endpoint. Attackers can access unauthorize...

This vulnerability allows authenticated users in Devolutions Server to access temporary access and checkout request information by guessing or knowing...

An improper access control vulnerability in Intel Ethernet Connection I219 Series drivers allows authenticated local users to potentially cause denial...

CVE-2025-24427 is an improper access control vulnerability in Adobe Commerce that allows low-privileged attackers to bypass security measures and gain...

This vulnerability allows users with Monitor or Auditor roles in Wildfly Server to suspend or resume the server despite having only read permissions. ...

This vulnerability in Microsoft Edge allows attackers to gain elevated privileges on affected systems. It affects users running vulnerable versions of...

This vulnerability in Windows Geolocation Service allows unauthorized access to location information without proper permissions. It affects Windows sy...

This vulnerability allows authenticated RabbitMQ users with HTTP API access and some permissions on a virtual host to delete queues they shouldn't hav...

Dell Data Lakehouse versions 1.0.0.0 and 1.1.0 contain an improper access control vulnerability that allows unauthenticated attackers on adjacent netw...

Ghost CMS versions 4.46.0 through 5.89.4 have improper authentication on certain member action endpoints, allowing attackers to perform member-only ac...

An unauthenticated attacker can access teacher registration approval pages in Kashipara Responsive School Management System v3.2.0, allowing them to v...