CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,679 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 60 of 94
- CVE-2025-27206MEDIUMCVSS 5.3EG 5.32025-06-10
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to …
- CVE-2025-27207MEDIUMCVSS 6.5EG 6.52025-06-10
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerab…
- CVE-2025-27215HIGHCVSS 8.1EG 8.12025-08-21
An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Affected Products: UniFi Connect Display Cast (Version 1.…
- CVE-2025-27238LOWCVSS 3.5EG 3.52025-09-12
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
- CVE-2025-27258CRITICALCVSS 9.8EG 9.82025-10-13
Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege.
- CVE-2025-27646CRITICALCVSS 9.8EG 9.82025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.913 Application 20.0.2253 allows Edit User Account Exposure V-2024-001.
- CVE-2025-27649CRITICALCVSS 9.8EG 9.82025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.893 Application 20.0.2140 allows Incorrect Access Control: PHP V-2023-016.
- CVE-2025-27689HIGHCVSS 7.8EG 7.82025-06-12
Dell iDRAC Tools, version(s) prior to 11.3.0.0, contain(s) an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
- CVE-2025-27702MEDIUMCVSS 4.9EG 4.92025-05-28
CVE-2025-27702 is a vulnerability in the management console of Absolute Secure Access prior to version 13.54. Attackers with administrative access to the console and who have been assigned a certain set of permissions can bypass those p…
- CVE-2025-27724CRITICALCVSS 9.3EG 9.32025-07-28
A privilege escalation vulnerability exists in the login.php functionality of meddream MedDream PACS Premium 7.3.3.840. A specially crafted .php file can lead to elevated capabilities. An attacker can upload a malicious file to trigger thi…
- CVE-2025-27738MEDIUMCVSS 6.5EG 6.52025-04-08
Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network.
- CVE-2025-27744HIGHCVSS 7.8EG 7.82025-04-08
Improper access control in Microsoft Office allows an authorized attacker to elevate privileges locally.
- CVE-2025-27919HIGHCVSS 8.2EG 8.22025-11-06
An issue was discovered in AnyDesk through 9.0.4. A remotely connected user with the "Control my device" permission can manipulate remote AnyDesk settings and create a password for the Full Access profile without needing confirmation from …
- CVE-2025-28041HIGHCVSS 8.6EG 8.62025-08-20
Incorrect access control in the doFilter function of itranswarp up to 2.19 allows attackers to access sensitive components without authentication.
- CVE-2025-28104CRITICALCVSS 9.1EG 9.12025-04-21
Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.
- CVE-2025-28201MEDIUMCVSS 6.8EG 6.82025-05-09
An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access.
- CVE-2025-28229CRITICALCVSS 9.8EG 9.82025-04-18
Incorrect access control in Orban OPTIMOD 5950 Firmware v1.0.0.2 and System v2.2.15 allows attackers to bypass authentication and gain Administrator privileges.
- CVE-2025-28231CRITICALCVSS 9.1EG 9.12025-04-18
Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.
- CVE-2025-28232CRITICALCVSS 9.1EG 9.12025-04-18
Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.
- CVE-2025-28233CRITICALCVSS 9.1EG 9.12025-04-18
Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files…
- CVE-2025-28367MEDIUMCVSS 6.5EG 6.52025-04-21
mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey.
- CVE-2025-28371MEDIUMCVSS 6.5EG 6.52025-05-19
EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid c…
- CVE-2025-28402CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobId parameter
- CVE-2025-28403HIGHCVSS 7.2EG 7.22025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration se…
- CVE-2025-28405CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the changeStatus method
- CVE-2025-28406CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the jobLogId parameter
- CVE-2025-28407HIGHCVSS 8.8EG 8.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the edit method of the /edit/{dictId} endpoint does not properly validate whether the requesting user has permission to modify the specified dictId
- CVE-2025-28408CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the selectDeptTree method of the /selectDeptTree/{deptId} endpoint does not properly validate the deptId parameter
- CVE-2025-28409HIGHCVSS 8.8EG 8.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the add method of the /add/{parentId} endpoint does not properly validate whether the requesting user has permission to add a menu item under the specified paren…
- CVE-2025-28410CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the cancelAuthUserAll method does not properly validate whether the requesting user has administrative privileges
- CVE-2025-28411CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the editSave method in /tool/gen/editSave
- CVE-2025-28412CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the /editSave method in SysNoticeController
- CVE-2025-28413CRITICALCVSS 9.8EG 9.82025-04-07
An issue in RUoYi v.4.8.0 allows a remote attacker to escalate privileges via the SysDictTypeController component
- CVE-2025-29270CRITICALCVSS 10.0EG 10.02025-10-31
Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.
- CVE-2025-29315CRITICALCVSS 9.8EG 9.82025-03-24
An issue in the Shiro-based RBAC (Role-based Access Control) mechanism of OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to execute privileged operations via a crafted request.
- CVE-2025-29421HIGHCVSS 7.5EG 7.52025-08-25
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function.
- CVE-2025-29448HIGHCVSS 7.5EG 7.52025-05-07
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
- CVE-2025-29514CRITICALCVSS 9.8EG 9.82025-08-25
Incorrect access control in the config.xgi function of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to download the configuration file via providing a crafted web request.
- CVE-2025-29515CRITICALCVSS 9.8EG 9.82025-08-25
Incorrect access control in the DELT_file.xgi endpoint of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to modify arbitrary settings within the device's XML database, including the administrator’s password.
- CVE-2025-2952MEDIUMCVSS 6.3EG 6.32025-03-30
A vulnerability classified as critical was found in Bluestar Micro Mall 1.0. Affected by this vulnerability is an unknown functionality of the file /api/api.php?mod=upload&type=1. The manipulation of the argument File leads to unrestricted…
- CVE-2025-29520MEDIUMCVSS 5.3EG 5.32025-08-25
Incorrect access control in the Maintenance module of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows authenticated attackers with low-level privileges to arbitrarily change the high-privileged account passwords and escala…
- CVE-2025-29524MEDIUMCVSS 6.5EG 6.52025-08-25
Incorrect access control in the component /cgi-bin/system_diagnostic_main.asp of DASAN GPON ONU H660WM H660WMR210825 allows attackers to access sensitive information.
- CVE-2025-2954LOWCVSS 3.3EG 3.32025-03-30
A vulnerability, which was classified as problematic, was found in mannaandpoem OpenManus up to 2025.3.13. This affects the function execute of the file app/tool/file_saver.py of the component File Handler. The manipulation leads to improp…
- CVE-2025-2955MEDIUMCVSS 5.3EG 5.32025-03-30
A vulnerability has been found in TOTOLINK A3000RU up to 5.9c.5185 and classified as problematic. This vulnerability affects unknown code of the file /cgi-bin/ExportIbmsConfig.sh of the component IBMS Configuration File Handler. The manipu…
- CVE-2025-29556HIGHCVSS 7.3EG 7.32025-07-31
ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval.…
- CVE-2025-29557MEDIUMCVSS 5.4EG 5.42025-07-31
ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords.
- CVE-2025-29705MEDIUMCVSS 4.3EG 4.32025-04-15
code-gen <=2.0.6 is vulnerable to Incorrect Access Control. The project does not have permission control allowing anyone to access such projects.
- CVE-2025-2973MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability, which was classified as critical, was found in code-projects College Management System 1.0. This affects an unknown part of the file /Admin/student.php. The manipulation of the argument profile_image leads to unrestricted …
- CVE-2025-2978MEDIUMCVSS 6.3EG 6.32025-03-31
A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing…
- CVE-2025-29804HIGHCVSS 7.3EG 7.32025-04-08
Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →