CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 70 of 94
- CVE-2025-55630HIGHCVSS 7.3EG 7.32025-08-22
A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate ex…
- CVE-2025-55694HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
- CVE-2025-55741HIGHCVSS 8.1EG 8.12025-08-22
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard e…
- CVE-2025-55749HIGHCVSS 7.5EG 7.52025-12-01
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. I…
- CVE-2025-55795LOWCVSS 3.5EG 3.52025-09-29
The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user ID ca…
- CVE-2025-55797MEDIUMCVSS 6.5EG 6.52025-09-30
An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed.
- CVE-2025-55895CRITICALCVSS 9.1EG 9.12025-12-15
TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).
- CVE-2025-56015HIGHCVSS 7.5EG 7.52026-04-07
In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.
- CVE-2025-56219HIGHCVSS 7.1EG 7.52025-10-20
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accoun…
- CVE-2025-56241HIGHCVSS 7.5EG 7.52025-09-24
Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 and possibly other versions allows unauthenticated attackers to change the administrator password via a crafted POST request to sysAccess.asp. This allows full administrative control of the rout…
- CVE-2025-56274HIGHCVSS 8.1EG 8.12025-09-15
SourceCodester Web-based Pharmacy Product Management System 1.0 is vulnerable to Incorrect Access Control, which allows low-privileged users to forge high privileged (such as admin) sessions and perform sensitive operations such as adding …
- CVE-2025-56396HIGHCVSS 8.8EG 8.82025-11-26
An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.
- CVE-2025-56405HIGHCVSS 7.5EG 7.52025-09-10
An issue was discovered in litmusautomation litmus-mcp-server thru 0.0.1 allowing unauthorized attackers to control the target's MCP service through the SSE protocol.
- CVE-2025-56406HIGHCVSS 7.5EG 7.52025-09-10
An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the…
- CVE-2025-5649MEDIUMCVSS 6.5EG 5.32025-06-05
A vulnerability classified as critical has been found in SourceCodester Student Result Management System 1.0. This affects an unknown part of the file /admin/core/new_user of the component Register Interface. The manipulation leads to impr…
- CVE-2025-56499MEDIUMCVSS 6.5EG 6.52025-11-18
Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file.
- CVE-2025-57130HIGHCVSS 8.8EG 8.32025-11-05
An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user ca…
- CVE-2025-57197MEDIUMCVSS 6.0EG 6.52025-09-29
In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass th…
- CVE-2025-57210HIGHCVSS 7.5EG 7.52025-12-04
Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.
- CVE-2025-57212HIGHCVSS 7.5EG 7.52025-12-04
Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.
- CVE-2025-57213HIGHCVSS 7.5EG 7.52025-12-04
Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request.
- CVE-2025-57219MEDIUMCVSS 5.3EG 5.32025-08-28
Incorrect access control in the endpoint /goform/ate of Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 allows attackers to escalate privileges or access sensitive components via a crafted request.
- CVE-2025-57247CRITICALCVSS 9.1EG 9.12025-10-06
The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setS…
- CVE-2025-57266CRITICALCVSS 9.8EG 9.82025-09-29
An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint.
- CVE-2025-5728HIGHCVSS 8.8EG 6.32025-06-06
A vulnerability classified as critical was found in SourceCodester Open Source Clinic Management System 1.0. This vulnerability affects unknown code of the file /manage_website.php. The manipulation of the argument website_image leads to u…
- CVE-2025-57428MEDIUMCVSS 6.5EG 6.52025-09-29
Default credentials in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to gain access to the debug shell exposed via Telnet on Port 23 and execute hardware-level flash and register manipulation com…
- CVE-2025-57438MEDIUMCVSS 6.8EG 6.82025-09-22
The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level …
- CVE-2025-57489HIGHCVSS 8.1EG 8.12025-12-01
Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary.
- CVE-2025-57567CRITICALCVSS 9.1EG 9.12025-10-17
A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overw…
- CVE-2025-57758MEDIUMCVSS 4.3EG 4.32025-08-28
Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versi…
- CVE-2025-58055MEDIUMCVSS 4.3EG 4.32025-10-01
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about to…
- CVE-2025-58149HIGHCVSS 7.5EG 7.52025-10-31
When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assi…
- CVE-2025-58337MEDIUMCVSS 5.4EG 5.42025-11-05
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode;…
- CVE-2025-5840HIGHCVSS 7.3EG 7.32025-06-07
A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_update_customer_order.php. The manipulation of the argument uploaded_file …
- CVE-2025-58459MEDIUMCVSS 4.3EG 4.32025-09-03
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs.
- CVE-2025-58714HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2025-58724HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
- CVE-2025-58726HIGHCVSS 7.5EG 7.52025-10-14
Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
- CVE-2025-5873MEDIUMCVSS 6.3EG 6.32025-06-09
A vulnerability was detected in eCharge Hardy Barth Salia PLCC up to 2.3.81. Affected by this issue is some unknown functionality of the file /firmware.php of the component Web UI. Performing a manipulation of the argument media results in…
- CVE-2025-58751MEDIUMCVSS 5.3EG 5.32025-09-08
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly e…
- CVE-2025-58752MEDIUMCVSS 5.3EG 5.32025-09-08
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server …
- CVE-2025-59199HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Software Protection Platform (SPP) allows an authorized attacker to elevate privileges locally.
- CVE-2025-59201HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Network Connection Status Indicator (NCSI) allows an authorized attacker to elevate privileges locally.
- CVE-2025-59218CRITICALCVSS 9.6EG 9.62025-10-09
Azure Entra ID Elevation of Privilege Vulnerability
- CVE-2025-59230HIGHCVSS 7.8EG 9.0⚠ KEV2025-10-14
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
- CVE-2025-59253MEDIUMCVSS 5.5EG 5.52025-10-14
Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
- CVE-2025-59273HIGHCVSS 7.3EG 7.32025-10-23
Improper access control in Azure Event Grid allows an unauthorized attacker to elevate privileges over a network.
- CVE-2025-59308MEDIUMCVSS 4.7EG 4.72026-04-24
In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, …
- CVE-2025-59333HIGHCVSS 8.1EG 8.12025-09-16
The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects…
- CVE-2025-59422LOWCVSS 3.1EG 3.12025-09-25
Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same worksp…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →