CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 69 of 94
- CVE-2025-53763CRITICALCVSS 9.8EG 9.82025-08-21
Improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
- CVE-2025-53791MEDIUMCVSS 4.7EG 4.72025-09-05
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2025-5382MEDIUMCVSS 6.8EG 6.82025-06-05
Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
- CVE-2025-5387CRITICALCVSS 9.8EG 6.32025-05-31
A vulnerability classified as critical has been found in JeeWMS up to 20250504. Affected is the function dogenerate of the file /generateController.do?dogenerate of the component File Handler. The manipulation leads to improper access cont…
- CVE-2025-5389CRITICALCVSS 9.8EG 6.32025-05-31
A vulnerability, which was classified as critical, has been found in JeeWMS up to 20250504. Affected by this issue is the function dogenerateOne2Many of the file /generateController.do?dogenerateOne2Many of the component File Handler. The …
- CVE-2025-5390CRITICALCVSS 9.8EG 6.32025-05-31
A vulnerability, which was classified as critical, was found in JeeWMS up to 20250504. This affects the function filedeal of the file /systemController/filedeal.do of the component File Handler. The manipulation leads to improper access co…
- CVE-2025-5406HIGHCVSS 8.8EG 6.32025-06-01
A vulnerability, which was classified as critical, was found in chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513. Affected is an unknown function of the file /admin/posts.php?source=add_post. The manipulation of the ar…
- CVE-2025-5409CRITICALCVSS 9.8EG 7.32025-06-01
A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads t…
- CVE-2025-54098HIGHCVSS 7.8EG 7.82025-09-09
Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
- CVE-2025-54116HIGHCVSS 7.3EG 7.32025-09-09
Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally.
- CVE-2025-5421MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability, which was classified as critical, has been found in juzaweb CMS up to 3.4.2. Affected by this issue is some unknown functionality of the file /admin-cp/plugin/editor of the component Plugin Editor Page. The manipulation le…
- CVE-2025-5422MEDIUMCVSS 4.3EG 4.32025-06-02
A vulnerability, which was classified as problematic, was found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/logs/email of the component Email Logs Page. The manipulation leads to improper access controls.…
- CVE-2025-5423MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability has been found in juzaweb CMS up to 3.4.2 and classified as critical. This vulnerability affects unknown code of the file /admin-cp/setting/system/general of the component General Setting Page. The manipulation leads to imp…
- CVE-2025-5424MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability was found in juzaweb CMS up to 3.4.2 and classified as critical. This issue affects some unknown processing of the file /admin-cp/media of the component Media Page. The manipulation leads to improper access controls. The at…
- CVE-2025-5425MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as critical. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor Page. The manipulation leads to improper acc…
- CVE-2025-5426MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability was found in juzaweb CMS up to 3.4.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin-cp/menus of the component Menu Page. The manipulation leads to improper a…
- CVE-2025-5427MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability was found in juzaweb CMS up to 3.4.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin-cp/permalinks of the component Permalinks Page. The manipulation leads to improper…
- CVE-2025-5428MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is pos…
- CVE-2025-5429MEDIUMCVSS 6.3EG 6.32025-06-02
A vulnerability classified as critical was found in juzaweb CMS up to 3.4.2. This vulnerability affects unknown code of the file /admin-cp/plugin/install of the component Plugins Page. The manipulation leads to improper access controls. Th…
- CVE-2025-54338HIGHCVSS 7.5EG 7.52025-11-24
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes.
- CVE-2025-54339CRITICALCVSS 10.0EG 10.02025-11-14
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.
- CVE-2025-54343CRITICALCVSS 9.6EG 9.62025-11-14
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges.
- CVE-2025-5436MEDIUMCVSS 5.3EG 5.32025-06-02
A vulnerability was found in Multilaser Sirius RE016 MLT1.0. It has been rated as problematic. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to information disclosure. The attack may be…
- CVE-2025-54391CRITICALCVSS 9.1EG 9.12025-09-16
A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA…
- CVE-2025-54397MEDIUMCVSS 4.3EG 4.32025-08-07
Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users.
- CVE-2025-54561MEDIUMCVSS 4.3EG 4.32025-11-14
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorizatio…
- CVE-2025-54563HIGHCVSS 7.5EG 7.52025-11-24
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure.
- CVE-2025-54591HIGHCVSS 7.5EG 7.52025-09-29
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/f…
- CVE-2025-54599HIGHCVSS 7.5EG 7.52025-09-02
The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would …
- CVE-2025-54603MEDIUMCVSS 6.5EG 6.52025-10-14
An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users.
- CVE-2025-54786MEDIUMCVSS 5.3EG 5.32025-08-07
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An …
- CVE-2025-54871MEDIUMCVSS 5.5EG 5.52025-08-05
Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. Thi…
- CVE-2025-54875CRITICALCVSS 9.8EG 9.82025-09-29
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user manage…
- CVE-2025-54914CRITICALCVSS 10.0EG 10.02025-09-04
Azure Networking Elevation of Privilege Vulnerability
- CVE-2025-54968HIGHCVSS 8.8EG 8.82025-10-27
An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Service does not require authentication. In some configurations, this may allow remote users to submit jobs, or local users to submit jobs that will execute with th…
- CVE-2025-54970MEDIUMCVSS 6.5EG 6.52025-10-27
An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service fails to authenticate requests. In some configurations, this may allow remote or local users to abort jobs or read information without the permission…
- CVE-2025-55012HIGHCVSS 8.5EG 8.52025-08-11
Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vu…
- CVE-2025-55196HIGHCVSS 7.1EG 7.12025-08-13
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resour…
- CVE-2025-55238HIGHCVSS 7.5EG 7.52025-09-04
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability
- CVE-2025-55240HIGHCVSS 7.3EG 7.32025-10-14
Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.
- CVE-2025-55244CRITICALCVSS 9.0EG 9.02025-09-04
Azure Bot Service Elevation of Privilege Vulnerability
- CVE-2025-55366MEDIUMCVSS 5.3EG 5.32025-08-21
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
- CVE-2025-55367MEDIUMCVSS 5.3EG 5.32025-08-21
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
- CVE-2025-55368HIGHCVSS 8.8EG 8.82025-08-21
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
- CVE-2025-55371MEDIUMCVSS 5.3EG 5.32025-08-21
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
- CVE-2025-55373MEDIUMCVSS 5.3EG 5.32025-09-02
Incorrect access control in Beakon Application before v5.4.3 allows authenticated attackers with low-level privileges to escalate privileges and execute commands with Administrator rights.
- CVE-2025-55469CRITICALCVSS 9.8EG 9.82025-11-26
Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
- CVE-2025-55471HIGHCVSS 7.5EG 7.52025-11-26
Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
- CVE-2025-55621MEDIUMCVSS 6.5EG 6.52025-08-22
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is…
- CVE-2025-55626MEDIUMCVSS 5.3EG 5.32025-08-22
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session st…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →