CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 73 of 94
- CVE-2025-64660HIGHCVSS 8.0EG 5.72025-11-20
Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.
- CVE-2025-64669HIGHCVSS 7.8EG 7.82025-12-11
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.
- CVE-2025-64673HIGHCVSS 7.8EG 7.82025-12-09
Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally.
- CVE-2025-64706HIGHCVSS 7.5EG 5.02025-11-13
Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API token management endpoint. An authenticated attacker can delete any …
- CVE-2025-64715MEDIUMCVSS 5.5EG 4.02025-11-29
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group…
- CVE-2025-64746MEDIUMCVSS 5.4EG 4.62025-11-13
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its …
- CVE-2025-64897MEDIUMCVSS 5.6EG 5.62025-12-10
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write …
- CVE-2025-65096MEDIUMCVSS 4.3EG 4.32025-12-03
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users…
- CVE-2025-65097MEDIUMCVSS 6.5EG 6.52025-12-03
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by direct…
- CVE-2025-65098HIGHCVSS 7.4EG 7.42026-01-22
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript …
- CVE-2025-65176HIGHCVSS 7.5EG 7.52025-12-15
An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the agent will retrieve every user tok…
- CVE-2025-65238MEDIUMCVSS 6.5EG 6.52025-11-26
Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
- CVE-2025-65239MEDIUMCVSS 4.3EG 4.32025-11-26
Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.
- CVE-2025-6527LOWCVSS 3.1EG 3.12025-06-23
A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated…
- CVE-2025-65276CRITICALCVSS 9.8EG 9.82025-11-26
An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication ch…
- CVE-2025-6531MEDIUMCVSS 4.3EG 4.32025-06-24
A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access contro…
- CVE-2025-6532MEDIUMCVSS 4.3EG 4.32025-06-24
A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper acc…
- CVE-2025-65594HIGHCVSS 8.1EG 8.12025-12-09
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
- CVE-2025-65779HIGHCVSS 7.5EG 7.52025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary …
- CVE-2025-65780HIGHCVSS 8.8EG 8.82025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to mis…
- CVE-2025-65795HIGHCVSS 7.5EG 7.52025-12-08
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
- CVE-2025-65796MEDIUMCVSS 4.3EG 4.32025-12-08
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.
- CVE-2025-65797MEDIUMCVSS 6.5EG 6.52025-12-08
Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Servi…
- CVE-2025-65798MEDIUMCVSS 5.4EG 5.42025-12-08
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
- CVE-2025-65841MEDIUMCVSS 6.2EG 6.22025-12-03
Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-subs…
- CVE-2025-6592LOWCVSS 2.1EG 2.12026-02-02
Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0.
- CVE-2025-65963MEDIUMCVSS 5.4EG 5.42025-11-26
Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public s…
- CVE-2025-66027MEDIUMCVSS 6.5EG 6.52025-11-29
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants…
- CVE-2025-66028HIGHCVSS 8.2EG 8.22025-11-26
OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a param…
- CVE-2025-66223HIGHCVSS 8.4EG 8.42025-11-29
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitati…
- CVE-2025-66391HIGHCVSS 8.8EG 8.82026-06-17
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker att…
- CVE-2025-66397HIGHCVSS 8.3EG 8.32025-12-17
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authen…
- CVE-2025-66430CRITICALCVSS 9.1EG 9.12025-12-12
Plesk 18.0 has Incorrect Access Control.
- CVE-2025-66509CRITICALCVSS 9.8EG 9.82025-12-04
LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server…
- CVE-2025-66557MEDIUMCVSS 4.3EG 5.42025-12-05
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission…
- CVE-2025-6667HIGHCVSS 8.8EG 6.32025-06-25
A vulnerability was found in code-projects Car Rental System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/add_cars.php. The manipulation of the argument image leads to unrestricted…
- CVE-2025-66735HIGHCVSS 7.5EG 7.52025-12-22
youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles.
- CVE-2025-66736HIGHCVSS 7.1EG 7.12025-12-22
youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into th…
- CVE-2025-6680MEDIUMCVSS 4.3EG 4.32025-10-25
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level a…
- CVE-2025-66911MEDIUMCVSS 6.5EG 6.52025-12-19
Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authentic…
- CVE-2025-66956CRITICALCVSS 9.9EG 9.92026-03-11
Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.
- CVE-2025-67014HIGHCVSS 7.5EG 7.52025-12-26
Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint.
- CVE-2025-67015HIGHCVSS 7.5EG 7.52025-12-26
Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2.5.1 allows attackers to change the Administrator password and escalate privileges via sending a crafted POST request to /Forms/admin_a…
- CVE-2025-67259MEDIUMCVSS 6.5EG 6.52026-04-24
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST reque…
- CVE-2025-6741HIGHCVSS 7.7EG 7.72025-07-22
Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolu…
- CVE-2025-67437MEDIUMCVSS 6.5EG 6.52026-05-15
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
- CVE-2025-67510CRITICALCVSS 9.4EG 9.42025-12-10
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is cons…
- CVE-2025-67645HIGHCVSS 8.8EG 8.82026-01-28
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request…
- CVE-2025-67715MEDIUMCVSS 4.3EG 4.32025-12-16
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
- CVE-2025-67789MEDIUMCVSS 5.3EG 5.32025-12-17
An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Authenticated users can retrieve the computer count of other DriveLock tenants via the DriveLock API.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →