CWE-284: Improper Access Control

This broken access control vulnerability in File Browser allows authenticated users with only Create permission to delete files and directories they s...

This vulnerability in RuoYi v4.8.2 allows unauthorized attackers to modify data they shouldn't have access to due to improper access control in the up...

Gitea versions before 1.25.4 have an improper access control vulnerability where attachments uploaded to private repositories can be linked to release...

CVE-2026-20897 is an improper access control vulnerability in Gitea where users with write access to any repository can delete Git LFS locks belonging...

Gitea contains an authorization bypass vulnerability where users with project write access in one organization can modify projects belonging to other ...

This vulnerability allows unauthenticated remote attackers to bypass access controls on TOTOLINK routers. Attackers can send malicious payloads to vul...

CVE-2025-66430 is an incorrect access control vulnerability in Plesk's Password Protected Directories feature that allows authenticated Plesk users to...

This vulnerability allows a physically proximate attacker to access internal components of Entrust nShield HSM appliances without leaving tamper evide...

This vulnerability allows unauthenticated remote attackers to bypass authentication on Axel Technology puma devices and perform administrative actions...

Dell Data Lakehouse versions before 1.6.0.0 have an improper access control vulnerability that allows high-privileged attackers with remote access to ...

This vulnerability allows unauthorized attackers to access restricted administrative routes in eTimeTrackLite Web and modify database connection confi...

The BATBToken smart contract contains critical access control vulnerabilities in whitelist management functions. Any user can bypass transfer restrict...

A critical authentication bypass vulnerability in Termix versions 1.5.0 and below allows unauthenticated attackers to access the /ssh/db/host/internal...

This vulnerability in Zimbra Collaboration (ZCS) allows attackers with valid user credentials to bypass Two-Factor Authentication (2FA) protection by ...

CVE-2024-45438 is an authentication bypass vulnerability in TitanHQ SpamTitan Email Security Gateway that allows unauthenticated attackers to create u...

This CVE describes an access control bypass vulnerability in Apache HTTP Server's mod_ssl module when using TLS 1.3 session resumption. Organizations ...

This vulnerability allows unauthorized access to device groups in Northern.tech Mender Server due to improper access control. Attackers can potentiall...

CryptPad versions before 2025.3.0 have a critical 2FA bypass vulnerability. Attackers who obtain user credentials can access accounts even with 2FA en...

The Tinxy WiFi Lock Controller v1 RF transmits on an open Wi-Fi network without authentication, allowing attackers to join the network and potentially...

This vulnerability in Jenkins OpenID Connect Provider Plugin allows attackers who can configure jobs to craft build ID tokens that impersonate trusted...

This CVE describes an Improper Access Control vulnerability in Adobe ColdFusion that allows high-privileged attackers to read arbitrary files from the...

This vulnerability allows attackers to use Siri voice commands on locked iOS/iPadOS devices to enable Auto-Answer Calls, potentially allowing unauthor...

An incorrect access control vulnerability in flaskBlog v2.6.1 allows unauthenticated attackers to retrieve all usernames via crafted input. This affec...

This vulnerability allows unauthorized attackers to execute arbitrary commands with Administrator privileges on Itel Electronics IP Stream version 1.7...

This vulnerability allows unauthenticated attackers to bypass authentication and access the admin panel of JMBroadcast JMB0150 devices. Attackers can ...

IROAD Dashcam V devices use an unregistered public domain name for internal communication, creating a security vulnerability. If an attacker registers...

This vulnerability allows unauthorized gNOI requests to bypass security controls on Arista EOS devices with OpenConfig enabled, potentially enabling a...

This vulnerability allows attackers to bypass authentication requirements for Firefox's Focus feature when users have enabled authentication protectio...

This vulnerability allows unauthenticated attackers to create and modify user accounts, including Administrator accounts, in Serosoft Academia SIS Eag...

Infoblox NIOS through version 8.6.4 has improper access control for Grids, allowing unauthorized users to access or modify Grid configurations. This a...

Lexmark MX6500 printers with firmware LW75.JD.P296 and earlier have incorrect access control settings that allow unauthorized users to bypass security...

CVE-2024-46627 is an incorrect access control vulnerability in BECN DATAGERRY v2.2 that allows attackers to bypass authentication and execute arbitrar...

An unauthenticated attacker can directly access the /admin/add_room_controller.php endpoint in Kashipara Hotel Management System v1.0 to add unauthori...

CVE-2024-28805 is an incorrect access control vulnerability in Italtel i-MCS NFV 12.1.0-20211215 that allows unauthorized users to bypass authenticati...

CVE-2024-22187 is an unauthenticated write-what-where vulnerability in AutomationDirect P3-550E's Programming Software Connection Remote Memory Diagno...

A use-after-free vulnerability in the Linux kernel's IOMMUFD subsystem allows attackers to corrupt memory when splitting I/O page table areas. This af...

An improper access control vulnerability in Mitel SIP phones allows unauthenticated attackers to access user information or system configuration. This...

This vulnerability allows high-privileged attackers with network access via HTTP to compromise Oracle Workflow in Oracle E-Business Suite, potentially...

This vulnerability allows remote attackers to modify device settings on Silex Technology DS-600 devices via an unauthenticated SAVE EEP_DATA command. ...

Alldata V0.4.6 has an incorrect access control vulnerability that leaks sensitive API documentation through unauthenticated endpoints like /api/system...

This vulnerability allows Project Owners or Organization Owners in Datalust Seq to escalate their privileges to System-level access, bypassing intende...

This vulnerability in Net::IPv4Addr 0.10 for Perl allows attackers to bypass IP-based access controls by using IP addresses with extraneous zero chara...

This vulnerability in Lustre file systems allows attackers to bypass access controls, potentially escalating privileges and accessing sensitive inform...

This vulnerability allows remote attackers to retrieve Wi-Fi credentials and system information from Totolink N200RE_V5 routers without authentication...

CVE-2023-47110 is an improper access control vulnerability in the blockreassurance PrestaShop module that allows attackers to modify any value in the ...

This vulnerability in BoltWire v6.03 allows remote attackers to bypass authentication and access sensitive administrative functions, including viewing...

This vulnerability in Decidim's templates module allows any authenticated user to access administrative template management functions, enabling unauth...

This vulnerability in Hikvision Hybrid SAN/Cluster Storage products allows attackers to bypass access controls and gain administrative privileges by s...

CVE-2023-27578 is an insufficient permission check vulnerability in Galaxy data analysis platform that allows attackers to modify, delete, copy, or im...

This vulnerability in Omron CJ1M PLC units allows attackers to overwrite the UM password memory region via PROGRAM AREA WRITE commands. This can disab...