CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 71 of 94
- CVE-2025-59434CRITICALCVSS 9.6EG 9.62025-09-22
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive enviro…
- CVE-2025-59494HIGHCVSS 7.8EG 7.82025-10-14
Improper access control in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
- CVE-2025-59500HIGHCVSS 7.7EG 7.72025-10-23
Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
- CVE-2025-59512HIGHCVSS 7.8EG 7.82025-11-11
Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally.
- CVE-2025-59517HIGHCVSS 7.8EG 7.82025-12-09
Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
- CVE-2025-5962HIGHCVSS 7.7EG 7.72025-09-22
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls t…
- CVE-2025-59697HIGHCVSS 7.2EG 7.22025-12-02
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host…
- CVE-2025-59702HIGHCVSS 7.2EG 7.22025-12-02
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components.
- CVE-2025-59703CRITICALCVSS 9.1EG 9.12025-12-02
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker nee…
- CVE-2025-59810MEDIUMCVSS 6.5EG 6.52025-12-09
An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiS…
- CVE-2025-59923LOWCVSS 2.7EG 2.72025-12-09
An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker …
- CVE-2025-59932HIGHCVSS 8.6EG 8.62025-09-27
Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthori…
- CVE-2025-59943HIGHCVSS 8.1EG 8.12025-10-03
phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Beca…
- CVE-2025-59951CRITICALCVSS 9.1EG 9.12025-10-01
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the b…
- CVE-2025-60291CRITICALCVSS 9.1EG 9.12025-10-27
An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations.
- CVE-2025-60305HIGHCVSS 8.8EG 8.82025-10-10
SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations.
- CVE-2025-60306CRITICALCVSS 9.9EG 9.92025-10-10
code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations.
- CVE-2025-60354HIGHCVSS 7.5EG 7.52025-10-28
Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot.
- CVE-2025-60427MEDIUMCVSS 6.5EG 6.52025-10-21
LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analy…
- CVE-2025-60705HIGHCVSS 7.8EG 7.82025-11-11
Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.
- CVE-2025-60784MEDIUMCVSS 6.5EG 6.52025-11-05
A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou…
- CVE-2025-60799MEDIUMCVSS 6.1EG 6.12025-11-20
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server',…
- CVE-2025-60800HIGHCVSS 7.5EG 7.52025-10-28
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
- CVE-2025-60865HIGHCVSS 7.8EG 7.82026-02-03
Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component.
- CVE-2025-60876MEDIUMCVSS 6.5EG 6.52025-11-10
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 req…
- CVE-2025-60982MEDIUMCVSS 5.4EG 5.42025-10-27
IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or mod…
- CVE-2025-61113HIGHCVSS 7.5EG 7.52025-10-30
TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access p…
- CVE-2025-61114HIGHCVSS 7.5EG 7.52025-10-30
2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first cha…
- CVE-2025-61115HIGHCVSS 7.5EG 7.52025-10-30
ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does n…
- CVE-2025-61116HIGHCVSS 7.5EG 7.52025-10-30
AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded em…
- CVE-2025-61117HIGHCVSS 7.5EG 7.52025-10-30
Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain au…
- CVE-2025-61118HIGHCVSS 7.5EG 7.52025-10-30
mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with se…
- CVE-2025-61119HIGHCVSS 7.5EG 7.52025-10-30
Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including ent…
- CVE-2025-61120HIGHCVSS 7.5EG 7.52025-10-30
AG Life Logger Android App version v1.0.2.72 and before (package name com.donki.healthy), developed by IO FIT, K.K., contains improper access control vulnerabilities. Exposed credentials in traffic may allow attackers to misuse cloud resou…
- CVE-2025-61156HIGHCVSS 7.8EG 7.82025-10-29
Incorrect access control in the kernel driver of ThreatFire System Monitor v4.7.0.53 allows attackers to escalate privileges and execute arbitrary commands via an insecure IOCTL.
- CVE-2025-61229HIGHCVSS 7.8EG 7.82025-12-01
An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls.
- CVE-2025-61234HIGHCVSS 7.5EG 7.52025-10-29
Incorrect access control on Dataphone A920 v2025.07.161103 exposes a service on port 8888 by default on the local network without authentication. This allows an attacker to interact with the device via a TCP socket without credentials. Add…
- CVE-2025-61541HIGHCVSS 7.1EG 7.12025-10-16
Webmin 2.510 is vulnerable to a Host Header Injection in the password reset functionality (forgot_send.cgi). The reset link sent to users is constructed using the HTTP Host header via get_webmin_email_url(). An attacker can manipulate the …
- CVE-2025-61543HIGHCVSS 7.1EG 7.12025-10-16
A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses `$_SERVER['HTTP_HOST']` directly to construct password reset links sent via email. An attacker can manipulate the Host …
- CVE-2025-6161CRITICALCVSS 9.8EG 7.32025-06-17
A vulnerability, which was classified as critical, was found in SourceCodester Simple Food Ordering System 1.0. Affected is an unknown function of the file /editproduct.php. The manipulation of the argument photo leads to unrestricted uplo…
- CVE-2025-61748LOWCVSS 3.7EG 3.72025-10-21
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for J…
- CVE-2025-61749LOWCVSS 2.7EG 2.72025-10-21
Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are affected are 23.4-23.9. Easily exploitable vulnerability allows high privileged attacker having DBA privilege with network access via Orac…
- CVE-2025-61758MEDIUMCVSS 6.5EG 6.52025-10-21
Vulnerability in the PeopleSoft Enterprise FIN IT Asset Management product of Oracle PeopleSoft (component: IT Asset Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attac…
- CVE-2025-61760HIGHCVSS 7.5EG 7.52025-10-21
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the …
- CVE-2025-61761MEDIUMCVSS 5.4EG 5.42025-10-21
Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged …
- CVE-2025-61762MEDIUMCVSS 6.3EG 6.32025-10-21
Vulnerability in the PeopleSoft Enterprise FIN Payables product of Oracle PeopleSoft (component: Payables). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network acces…
- CVE-2025-61763HIGHCVSS 8.1EG 8.12025-10-21
Vulnerability in Oracle Essbase (component: Essbase Web Platform). The supported version that is affected is 21.7.3.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Es…
- CVE-2025-61777CRITICALCVSS 9.1EG 9.42025-10-06
Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authen…
- CVE-2025-61811CRITICALCVSS 9.1EG 8.42025-12-10
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage t…
- CVE-2025-61879HIGHCVSS 7.7EG 7.72026-02-12
In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →