CWE-284: Improper Access Control

The Jenkins Stack Hammer Plugin 1.0.6 and earlier stores API keys unencrypted in job configuration files, allowing users with Extended Read permission...

This vulnerability allows an application to modify protected parts of the macOS file system, potentially bypassing security restrictions. It affects m...

A macOS vulnerability involving improper symlink validation allows applications to access sensitive user data they shouldn't have permission to read. ...

This vulnerability allows a malicious app to dismiss the system notification that appears on the Lock Screen when recording starts, potentially hiding...

This CVE describes a privacy vulnerability in Apple operating systems where apps could access sensitive user data from text fields that should have be...

A privacy vulnerability in macOS allowed applications to access user contact information without proper authorization. This affected macOS systems bef...

This CVE describes a logging vulnerability in Apple operating systems where insufficient data redaction allowed apps to access sensitive user informat...

This CVE describes a macOS vulnerability where applications could bypass security checks and access sensitive user data. It affects macOS systems befo...

This vulnerability allows attackers to bypass Windows Virtualization-Based Security (VBS) protections, potentially enabling them to execute code or ac...

This vulnerability in Cisco IOS XR Software allows authenticated local attackers with valid credentials to read any file on the underlying Linux file ...

This vulnerability in IrfanView allows attackers to cause an access violation via a specially crafted EXR image file, leading to application crashes a...

This vulnerability in Mattermost allows a malicious remote attacker to create, update, or delete arbitrary posts in arbitrary channels when shared cha...

This vulnerability allows an app to disclose kernel memory due to improper memory handling in Apple operating systems. It affects iOS, iPadOS, and mac...

This CVE describes an authorization bypass vulnerability in Pimcore Web2Print Tools Bundle. Authenticated backend users without proper permissions can...

This vulnerability allows unauthorized access to functionality in TheGem WordPress theme plugins for Elementor and WPBakery page builders. Attackers c...

An incorrect access control vulnerability in usememos memos v0.25.2 allows authenticated users with low-level privileges to modify or delete attachmen...

This vulnerability in Nextcloud Deck allows users with 'Can share' permission to modify permissions of other recipients, potentially escalating privil...

This vulnerability allows non-member users to create folders and upload/download files as ZIP archives in public spaces due to insufficient authorizat...

This vulnerability allows attackers with valid read-only accounts to bypass access controls in Doris MCP Server, enabling unauthorized modifications t...

This vulnerability allows low-privileged Splunk users without admin or power roles to create or overwrite system source type configurations via a craf...

This vulnerability in Oracle Database's XML Database component allows authenticated attackers with network access via HTTP to perform unauthorized dat...

The Multiple Page Generator (MPG) WordPress plugin up to version 4.0.1 lacks proper authorization checks on several administrative functions. This all...

This vulnerability allows attackers to bypass authorization controls in Mattermost when archived channel viewing is disabled. Attackers can retrieve p...

This vulnerability in Overleaf Server Pro allows users to access the sharelatex container's filesystem, network, and environment variables during LaTe...

This critical vulnerability in the Insurance Management System allows attackers to bypass access controls by manipulating the 'recipt_no' parameter in...

Kashipara Bus Ticket Reservation System v1.0 has an incorrect access control vulnerability in the /deleteTicket.php endpoint that allows unauthorized ...

This vulnerability in Oracle Purchasing allows authenticated attackers with low privileges to perform unauthorized data manipulation and read access v...

Dell Secure Connect Gateway (SCG) versions before 5.24.00.00 have an improper access control vulnerability in an internal REST API. A remote low-privi...

Dell Secure Connect Gateway (SCG) versions before 5.24.00.00 have an improper access control vulnerability in an internal maintenance REST API. If an ...

This broken access control vulnerability in WeKnora allows any authenticated tenant to read sensitive data from other tenants, including API keys, mod...

This vulnerability allows unauthenticated attackers to delete arbitrary user accounts that were recently created on WordPress sites using the affected...

TrustTunnel VPN protocol versions before 0.9.115 have a rule bypass vulnerability where fragmented or partial TLS ClientHello messages cause client ra...

This vulnerability allows unauthenticated attackers to bind their Slack workspace to any Langfuse project via the Slack OAuth endpoint. This could ena...

This vulnerability in Horilla HRMS allows unauthenticated attackers to view unpublished job postings through an exposed API endpoint. Organizations us...

An improper access control vulnerability in EV Station Lite (v1.5.2 and earlier) allows attackers within Wi-Fi range to use the WiFi AutoLink feature ...

This vulnerability allows authenticated users of DriveLock to retrieve the computer count of other tenants via the API, potentially exposing organizat...

This vulnerability allows admin users in Keyfactor SignServer to enumerate local files by setting the VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH property to ...

This vulnerability allows administrators in Keyfactor SignServer to write arbitrary files to any directory accessible by the JBoss user. Attackers wit...

This CVE describes an improper access control vulnerability in macOS where applications could bypass entitlement checks to access sensitive user data....

This vulnerability allows unauthenticated remote attackers to bypass management interface ACLs on affected Cisco IOS XR devices, potentially gaining u...

This CVE-2025-36909 vulnerability allows unauthorized access to sensitive information in affected Android Pixel devices. It's an information disclosur...

An authentication bypass vulnerability in Cisco desk and IP phones allows unauthenticated remote attackers to write arbitrary files to specific direct...

This vulnerability allows authenticated attackers with low-level privileges in D-Link DSL-7740C routers to change high-privileged account passwords an...

An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime allows unauthorized attackers to...

This vulnerability in jshERP v3.5 allows unauthorized attackers to access sensitive handler information through the getAllList method in PersonControl...

This vulnerability in jshERP v3.5 allows attackers to bypass access controls in the UserController component, enabling unauthorized password resets fo...

This vulnerability allows unauthorized attackers to modify supplier status information in jshERP v3.5 without proper authentication. It affects all us...

This CVE describes an access control vulnerability in Appian Enterprise BPM version 25.3 that could allow unauthorized users to access sensitive infor...

EzGED3 3.5.0 has an unauthenticated arbitrary file read vulnerability that allows remote attackers to read any file on the server via directory traver...

This vulnerability allows remote attackers to cause denial of service through database resource exhaustion in the jonkastonka Cookies and Content Secu...