CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 74 of 94
- CVE-2025-67796HIGHCVSS 8.1EG 8.12026-05-04
IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/te…
- CVE-2025-6786MEDIUMCVSS 5.3EG 5.32025-07-04
The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This m…
- CVE-2025-6837CRITICALCVSS 9.8EG 6.32025-06-29
A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload.…
- CVE-2025-6843CRITICALCVSS 9.8EG 7.32025-06-29
A vulnerability was found in code-projects Simple Photo Gallery 1.0. It has been classified as critical. Affected is an unknown function of the file /upload-photo.php. The manipulation of the argument file_img leads to unrestricted upload.…
- CVE-2025-6848HIGHCVSS 8.8EG 6.32025-06-29
A vulnerability, which was classified as critical, has been found in code-projects Simple Forum 1.0. This issue affects some unknown processing of the file /forum1.php. The manipulation of the argument File leads to unrestricted upload. Th…
- CVE-2025-6870MEDIUMCVSS 4.7EG 4.72025-06-29
A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Content.php?f=service. The manipulation of the argument img le…
- CVE-2025-68716HIGHCVSS 8.4EG 8.42026-01-08
KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI o…
- CVE-2025-6872HIGHCVSS 7.2EG 4.72025-06-29
A vulnerability classified as critical was found in SourceCodester Simple Company Website 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument img leads to…
- CVE-2025-68721HIGHCVSS 8.1EG 9.12026-02-05
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certifi…
- CVE-2025-6873HIGHCVSS 7.2EG 4.72025-06-29
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Company Website 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to…
- CVE-2025-68949MEDIUMCVSS 5.3EG 5.32026-01-13
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accep…
- CVE-2025-6900CRITICALCVSS 9.8EG 6.32025-06-30
A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The atta…
- CVE-2025-69220HIGHCVSS 7.1EG 7.12026-01-07
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change th…
- CVE-2025-69221MEDIUMCVSS 4.3EG 4.32026-01-07
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no p…
- CVE-2025-69257MEDIUMCVSS 6.7EG 6.72025-12-30
theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.con…
- CVE-2025-69284MEDIUMCVSS 4.3EG 4.32026-01-02
Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/m…
- CVE-2025-69634CRITICALCVSS 9.0EG 9.02026-02-12
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur…
- CVE-2025-69691CRITICALCVSS 9.9EG 9.92026-05-08
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
- CVE-2025-69727MEDIUMCVSS 5.3EG 5.32026-03-16
An Incorrect Access Control vulnerability exists in INDEX-EDUCATION PRONOTE prior to 2025.2.8. The affected components (index.js and composeUrlImgPhotoIndividu) allow the construction of direct URLs to user profile images based solely on p…
- CVE-2025-69822HIGHCVSS 7.4EG 7.42026-01-22
An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame
- CVE-2025-69907HIGHCVSS 7.5EG 7.52026-01-23
An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid cre…
- CVE-2025-69908HIGHCVSS 7.5EG 7.52026-01-23
An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource.
- CVE-2025-69988MEDIUMCVSS 6.5EG 6.52026-03-27
BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An unauthenticated attacker in physical proximity can associate with this open network. Once connected, the attacker gains access to the camera's private network in…
- CVE-2025-7016CRITICALCVSS 9.8EG 8.02026-01-29
Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12.
- CVE-2025-70363HIGHCVSS 7.5EG 7.52026-03-06
Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs.
- CVE-2025-7051HIGHCVSS 8.3EG 8.32025-08-21
On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server. This vulnerability is present in all deployments of N-central prior to 2025.2.
- CVE-2025-70614HIGHCVSS 8.1EG 8.12026-03-05
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a …
- CVE-2025-7075HIGHCVSS 8.8EG 6.32025-07-06
A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads …
- CVE-2025-7076HIGHCVSS 8.8EG 5.42025-07-06
A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been rated as critical. Affected by this issue is some unknown functionality of the file /upload.cgi of the component Configuration Handler. The manipulation leads t…
- CVE-2025-70866HIGHCVSS 8.8EG 8.82026-02-13
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin…
- CVE-2025-70963HIGHCVSS 7.6EG 7.62026-02-06
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials…
- CVE-2025-70982CRITICALCVSS 9.9EG 9.92026-01-26
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
- CVE-2025-70983CRITICALCVSS 9.9EG 9.92026-01-23
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
- CVE-2025-70985CRITICALCVSS 9.1EG 9.12026-01-23
Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.
- CVE-2025-70986HIGHCVSS 7.5EG 7.52026-01-23
Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.
- CVE-2025-70997MEDIUMCVSS 6.5EG 6.52026-02-04
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
- CVE-2025-7100CRITICALCVSS 9.8EG 6.32025-07-07
A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestr…
- CVE-2025-7106MEDIUMCVSS 5.3EG 5.32025-09-23
danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, whic…
- CVE-2025-7124HIGHCVSS 8.8EG 6.32025-07-07
A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. Affected is an unknown function of the file /dashboard/userprofile.php of the component Profile Image Handler. The manipulation of the argument…
- CVE-2025-71380HIGHCVSS 8.8EG 8.82026-07-04
The Execute Command node in n8n allows authenticated users to execute arbitrary commands on the host system where n8n runs. Attackers with user access or compromised credentials can exploit this node to run malicious commands, potentially …
- CVE-2025-7151HIGHCVSS 8.8EG 6.32025-07-07
A vulnerability was found in Campcodes Advanced Online Voting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/voters_add.php. The manipulation of the argument photo leads to unrestri…
- CVE-2025-7152HIGHCVSS 8.8EG 6.32025-07-08
A vulnerability classified as critical has been found in Campcodes Advanced Online Voting System 1.0. Affected is an unknown function of the file /admin/candidates_add.php. The manipulation of the argument photo leads to unrestricted uploa…
- CVE-2025-7175HIGHCVSS 7.2EG 6.32025-07-08
A vulnerability was found in code-projects E-Commerce Site 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. It…
- CVE-2025-7181CRITICALCVSS 9.8EG 6.32025-07-08
A vulnerability, which was classified as critical, was found in code-projects Staff Audit System 1.0. Affected is an unknown function of the file /test.php. The manipulation of the argument uploadedfile leads to unrestricted upload. It is …
- CVE-2025-7190HIGHCVSS 8.8EG 6.32025-07-08
A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0. This affects an unknown part of the file /admin/student_edit_photo.php. The manipulation of the argument photo leads to unrestrict…
- CVE-2025-7210HIGHCVSS 8.8EG 6.32025-07-09
A vulnerability was found in code-projects/Fabian Ros Library Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file admin/profile_update.php. The manipulation of the argument pho…
- CVE-2025-7412HIGHCVSS 8.8EG 6.32025-07-10
A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/student/profile.php. The manipulation of the argument image leads to unres…
- CVE-2025-7413HIGHCVSS 8.8EG 6.32025-07-10
A vulnerability classified as critical has been found in code-projects Library System 1.0. This affects an unknown part of the file /user/teacher/profile.php. The manipulation of the argument image leads to unrestricted upload. It is possi…
- CVE-2025-7470CRITICALCVSS 9.8EG 7.32025-07-12
A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been classified as critical. Affected is an unknown function of the file /pages/product_add.php. The manipulation of the argument image leads to unrestricted upl…
- CVE-2025-7477HIGHCVSS 7.2EG 4.72025-07-12
A vulnerability, which was classified as critical, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_cars.php. The manipulation of the argument image leads to un…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →