CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 72 of 94
- CVE-2025-61881MEDIUMCVSS 5.9EG 5.92025-10-21
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.28, 21.3-21.19 and 23.4-23.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via O…
- CVE-2025-61882CRITICALCVSS 9.8EG 9.8⚠ KEV2025-10-05
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated a…
- CVE-2025-61973HIGHCVSS 8.8EG 8.82026-01-15
A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of…
- CVE-2025-62159HIGHCVSS 8.7EG 8.72025-10-10
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator vers…
- CVE-2025-62290HIGHCVSS 7.2EG 7.22025-10-21
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Block Storage). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network acce…
- CVE-2025-62393MEDIUMCVSS 4.3EG 4.32025-10-23
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limit…
- CVE-2025-62395MEDIUMCVSS 4.3EG 4.32025-10-23
A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.
- CVE-2025-62474HIGHCVSS 7.8EG 7.82025-12-09
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
- CVE-2025-62509HIGHCVSS 8.1EG 8.12025-10-20
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized o…
- CVE-2025-62510HIGHCVSS 8.1EG 8.12025-10-20
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or i…
- CVE-2025-62570MEDIUMCVSS 5.5EG 7.12025-12-09
Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.
- CVE-2025-6266CRITICALCVSS 9.8EG 6.32025-06-19
A vulnerability was detected in Teledyne FLIR AX8 up to 1.46. Affected by this vulnerability is an unknown functionality of the file /upload.php. Performing manipulation of the argument File results in unrestricted upload. It is possible t…
- CVE-2025-62713HIGHCVSS 7.2EG 7.22025-10-23
Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, prod…
- CVE-2025-62720MEDIUMCVSS 6.5EG 6.52025-11-04
LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to…
- CVE-2025-62721MEDIUMCVSS 6.5EG 6.52025-11-04
LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access a…
- CVE-2025-63214MEDIUMCVSS 6.5EG 6.52025-11-19
An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts.
- CVE-2025-63218CRITICALCVSS 9.8EG 9.82025-11-19
The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user …
- CVE-2025-63219HIGHCVSS 7.5EG 7.52025-11-19
The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing …
- CVE-2025-63221CRITICALCVSS 9.1EG 9.12025-11-19
The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, creat…
- CVE-2025-63223CRITICALCVSS 9.8EG 9.82025-11-19
The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user ac…
- CVE-2025-63225CRITICALCVSS 9.8EG 9.82025-11-18
The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and networ…
- CVE-2025-63353CRITICALCVSS 9.8EG 9.82025-11-12
A vulnerability in FiberHome GPON ONU HG6145F1 RP4423 allows the device's factory default Wi-Fi password (WPA/WPA2 pre-shared key) to be predicted from the SSID. The device generates default passwords using a deterministic algorithm that d…
- CVE-2025-63363HIGHCVSS 7.5EG 7.52025-12-04
A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing craf…
- CVE-2025-63387HIGHCVSS 7.5EG 7.52025-12-18
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to…
- CVE-2025-63389CRITICALCVSS 9.8EG 9.82025-12-18
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to…
- CVE-2025-63409HIGHCVSS 8.8EG 8.82026-02-24
Privilege escalation and improper access control in GCOM EPON 1GE C00R371V00B01 allows remote authenticated users to modify administrator only settings and extract administrator credentials.
- CVE-2025-63422HIGHCVSS 7.5EG 7.52025-10-30
Incorrect access control in the Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to arbitrarily change the administrator username and password via sending a crafted GET r…
- CVE-2025-63423HIGHCVSS 7.5EG 7.52025-10-30
Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 was discovered to store the Administrator password.
- CVE-2025-63525HIGHCVSS 8.8EG 9.62025-12-01
An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php.
- CVE-2025-63562MEDIUMCVSS 6.3EG 6.32025-10-31
Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by a…
- CVE-2025-63579HIGHCVSS 7.5EG 7.52026-07-09
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypt…
- CVE-2025-63663HIGHCVSS 7.5EG 7.52025-12-22
Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users' uploaded files.
- CVE-2025-63664HIGHCVSS 7.5EG 7.52025-12-22
Incorrect access control in the /api/v1/conversations/*/messages API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access other users' message history with AI agents.
- CVE-2025-63666CRITICALCVSS 9.8EG 9.82025-11-12
Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in…
- CVE-2025-63667HIGHCVSS 7.5EG 7.52025-11-12
Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication.
- CVE-2025-63681MEDIUMCVSS 4.3EG 4.32025-12-04
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.
- CVE-2025-63686MEDIUMCVSS 6.5EG 6.52025-11-07
There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system.
- CVE-2025-63739MEDIUMCVSS 4.3EG 4.32025-12-09
An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index…
- CVE-2025-63958CRITICALCVSS 9.8EG 9.82025-11-24
MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license serv…
- CVE-2025-64012MEDIUMCVSS 4.3EG 5.32025-12-16
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.
- CVE-2025-64064HIGHCVSS 8.8EG 8.82025-11-25
Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and …
- CVE-2025-64066HIGHCVSS 8.6EG 8.62025-11-25
Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to regi…
- CVE-2025-64110HIGHCVSS 7.5EG 7.52025-11-05
Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt inject…
- CVE-2025-6422HIGHCVSS 8.8EG 6.32025-06-21
A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_settings of the component About Cont…
- CVE-2025-64347HIGHCVSS 7.5EG 7.52025-11-07
Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with…
- CVE-2025-64400MEDIUMCVSS 4.1EG 4.12025-12-18
Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has `edit` on the enrollment-level user dir…
- CVE-2025-6443HIGHCVSS 7.2EG 7.22025-06-25
Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability. This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit thi…
- CVE-2025-64483MEDIUMCVSS 5.3EG 5.32025-11-21
Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retr…
- CVE-2025-64516HIGHCVSS 7.5EG 7.52026-01-15
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be p…
- CVE-2025-6466CRITICALCVSS 9.8EG 6.32025-06-22
A vulnerability was found in ageerle ruoyi-ai 2.0.0 and classified as critical. Affected by this issue is the function speechToTextTranscriptionsV2/upload of the file ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/S…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →