CWE-284: Improper Access Control

This authentication bypass vulnerability in the application API allows remote attackers to create unauthorized administrative accounts. Attackers can ...

LavaLite CMS 10.1.0 has an access control vulnerability where authenticated users with low-level privileges can bypass role restrictions and access th...

The Simple User Registration WordPress plugin allows authenticated attackers with minimal permissions (like subscribers) to escalate their privileges ...

OpenEMR versions before 7.0.4 have a broken access control vulnerability in the Profile Edit endpoint. Authenticated normal users can modify request p...

A local privilege escalation vulnerability exists in Epic Games Store installation via Microsoft Store where low-privilege users can replace DLL files...

Authenticated users in Wekan versions up to 18.15 can modify their entire user document, including organization/team memberships and account status fi...

This vulnerability in Ruoyi 4.8.1 allows attackers to escalate privileges by exploiting a flaw where the owning department has higher rights than the ...

Primakon Pi Portal 1.0.18 has an insecure direct object reference vulnerability in its /api/v2/pp_users endpoint that allows any authenticated user to...

CVE-2025-43515 is a critical vulnerability in Apple Compressor where unauthenticated attackers on the same network can execute arbitrary code on Compr...

This vulnerability in Cisco Catalyst Center Virtual Appliance allows authenticated users with at least Observer role to elevate privileges to Administ...

The SOCET GXP Job Service lacks authentication requirements, allowing unauthorized job submissions. Remote users can potentially submit jobs in certai...

CVE-2025-52079 allows unauthenticated attackers to change the administrator password on D-Link DIR-820L routers via a crafted POST request to /get_set...

This vulnerability allows attackers to bypass Chrome's site isolation security feature through a specially crafted HTML page. It affects Google Chrome...

This vulnerability in jshERP v3.5 allows unauthorized attackers to modify supplier statuses under any account due to incorrect access control in RoleC...

This vulnerability allows an authenticated attacker with existing SQL Server access to elevate privileges over the network, potentially gaining admini...

This CVE describes a sandbox escape vulnerability in macOS that allows malicious applications to bypass Local Network access restrictions. An attacker...

An access control vulnerability in NanoMQ v0.21.10 allows attackers to bypass security restrictions and access sensitive system topic messages using M...

An improper access control vulnerability in the MediaWiki Scribunto extension allows unauthorized users to execute functions that should be restricted...

A misconfiguration vulnerability in IITB SSO v1.1.0 allows attackers to bypass access controls and retrieve sensitive application data. This affects a...

CVE-2025-33073 is an improper access control vulnerability in Windows SMB that allows authenticated attackers to elevate privileges over a network. Th...

This vulnerability allows attackers to bypass a previous security patch (CVE-2025-46566) in DataEase, enabling them to construct malicious JDBC statem...

This vulnerability allows non-administrative users with both 'User Management' and 'User Group Management' permissions in Devolutions Server to escala...

This privilege escalation vulnerability in Joplin server allows non-admin users to modify their own user accounts via the PATCH /api/users/:id endpoin...

This vulnerability in RUoYi v4.8.0 allows remote attackers to escalate privileges by exploiting improper permission validation in the /edit/{dictId} e...

This vulnerability allows attackers to escalate privileges by placing a crafted executable into scheduled tasks in Inova Logic CUSTOMER MONITOR v3.1.7...

CVE-2025-25614 is an incorrect access control vulnerability in Unifiedtransform 2.0 that allows teachers to modify personal data of other teachers, le...

This vulnerability in Extreme Networks XIQ-SE allows low-privileged users to access administrator passwords, potentially enabling privilege escalation...

This vulnerability in Intel Graphics software allows authenticated local users to escalate privileges by bypassing access controls. It affects systems...

This vulnerability in reNgine allows attackers with penetration_tester or auditor roles to delete all projects, leading to system takeover via redirec...

A broken access control vulnerability in Geovision GV-ASWeb versions v6.1.0.0 and earlier allows low-privilege users to perform unauthorized actions. ...

CVE-2024-23920 is a critical vulnerability in ChargePoint Home Flex charging stations that allows network-adjacent attackers to execute arbitrary code...

This vulnerability allows attackers to elevate privileges in Active Directory Domain Services, potentially gaining unauthorized administrative access....

This vulnerability allows authenticated attackers to bypass access controls in Azure SaaS Resources, potentially exposing sensitive data over the netw...

This vulnerability allows a developer account on a Hive-enabled OpenShift Dedicated cluster to escalate privileges to cluster-admin level by executing...

GLPI versions 9.1.0 through 10.0.16 contain an API vulnerability where authenticated technicians can escalate privileges to higher-level accounts. Thi...

This vulnerability in GLPI allows authenticated users to take control of other user accounts with equal or lower privilege levels via API exploitation...