CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 76 of 94
- CVE-2025-9381LOWCVSS 1.6EG 1.62025-08-24
A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disclosure. The attack may be carried out on…
- CVE-2025-9397CRITICALCVSS 9.8EG 6.32025-08-24
A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched …
- CVE-2025-9398HIGHCVSS 7.5EG 5.32025-08-25
A security vulnerability has been detected in YiFang CMS up to 2.0.5. Affected by this vulnerability is the function exportInstallTable of the file app/utils/base/database/Migrate.php. The manipulation leads to information disclosure. The …
- CVE-2025-9400HIGHCVSS 8.8EG 6.32025-08-25
A flaw has been found in YiFang CMS up to 2.0.5. This affects the function mergeMultipartUpload of the file app/utils/base/plugin/P_file.php. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the att…
- CVE-2025-9406CRITICALCVSS 9.8EG 6.32025-08-25
A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the arg…
- CVE-2025-9415CRITICALCVSS 9.8EG 6.32025-08-25
A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to…
- CVE-2025-9461HIGHCVSS 7.5EG 4.32025-08-26
A weakness has been identified in diyhi bbs up to 6.8. The impacted element is an unknown function of the file src/main/java/cms/web/action/filePackage/FilePackageManageAction.java of the component File Compression Handler. This manipulati…
- CVE-2025-9475CRITICALCVSS 9.8EG 7.32025-08-26
A flaw has been found in SourceCodester Human Resource Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /Admin_Dashboard/process/editemployee_process.php. This manipulation of the argument empl…
- CVE-2025-9476CRITICALCVSS 9.8EG 7.32025-08-26
A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argum…
- CVE-2025-9772CRITICALCVSS 9.8EG 9.82025-09-01
A vulnerability was detected in RemoteClinic up to 2.0. This affects an unknown part of the file /staff/edit.php. Performing manipulation of the argument image results in unrestricted upload. The attack can be initiated remotely. The explo…
- CVE-2025-9774MEDIUMCVSS 4.3EG 4.32025-09-01
A vulnerability has been found in RemoteClinic up to 2.0. This issue affects some unknown processing of the file /patients/edit-patient.php. The manipulation of the argument Email leads to information disclosure. The attack may be initiate…
- CVE-2025-9775CRITICALCVSS 9.8EG 7.32025-09-01
A vulnerability was found in RemoteClinic up to 2.0. Impacted is an unknown function of the file /staff/edit-my-profile.php. The manipulation of the argument image results in unrestricted upload. The attack may be launched remotely. The ex…
- CVE-2025-9795MEDIUMCVSS 5.4EG 6.32025-09-01
A vulnerability has been found in xujeff tianti 天梯 up to 2.3. The impacted element is the function ajaxUploadFile of the file src/main/java/com/jeff/tianti/controller/UploadController.java. The manipulation of the argument upfile leads…
- CVE-2025-9800MEDIUMCVSS 6.1EG 6.12025-09-01
A weakness has been identified in SimStudioAI sim up to ed9b9ad83f1a7c61f4392787fb51837d34eeb0af. Affected by this issue is the function Import of the file apps/sim/app/api/files/upload/route.ts of the component HTML File Parser. Executing…
- CVE-2025-9804MEDIUMCVSS 6.5EG 9.62025-10-16
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unaut…
- CVE-2025-9841HIGHCVSS 8.8EG 6.32025-09-03
A security vulnerability has been detected in code-projects Mobile Shop Management System 1.0. This affects an unknown function of the file AddNewProduct.php. The manipulation of the argument ProductImage leads to unrestricted upload. The …
- CVE-2025-9842HIGHCVSS 7.5EG 5.32025-09-03
A vulnerability was detected in Das Parking Management System 停车场管理系统 6.2.0. This impacts an unknown function of the file /Operator/Search. The manipulation results in information disclosure. The attack may be performed from …
- CVE-2025-9843HIGHCVSS 7.5EG 7.52025-09-03
A flaw has been found in Das Parking Management System 停车场管理系统 6.2.0. Affected is an unknown function of the file /Operator/FindAll. This manipulation causes information disclosure. It is possible to initiate the attack remot…
- CVE-2025-9847CRITICALCVSS 9.8EG 9.82025-09-03
A weakness has been identified in ScriptAndTools Real Estate Management System 1.0. Impacted is an unknown function of the file register.php. This manipulation of the argument uimage causes unrestricted upload. Remote exploitation of the a…
- CVE-2025-9941HIGHCVSS 8.8EG 6.32025-09-04
A flaw has been found in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /register.php. Executing manipulation of the argument uimage can lead to unrestricted upload. The attack can be launched rem…
- CVE-2025-9942HIGHCVSS 8.8EG 6.32025-09-04
A vulnerability has been found in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /submitproperty.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploi…
- CVE-2025-9973MEDIUMCVSS 6.4EG 6.42026-05-11
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to co…
- CVE-2026-0386HIGHCVSS 7.5EG 7.52026-01-13
Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network.
- CVE-2026-0547MEDIUMCVSS 6.3EG 6.32026-01-02
A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argume…
- CVE-2026-0566MEDIUMCVSS 4.7EG 4.72026-01-02
A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack i…
- CVE-2026-0577MEDIUMCVSS 6.3EG 6.32026-01-04
A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted uplo…
- CVE-2026-0643HIGHCVSS 7.3EG 7.32026-01-07
A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upl…
- CVE-2026-0653MEDIUMCVSS 6.5EG 6.52026-02-10
On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limit…
- CVE-2026-0798LOWCVSS 3.5EG 3.52026-01-22
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release no…
- CVE-2026-0844HIGHCVSS 8.8EG 8.82026-01-28
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated at…
- CVE-2026-0856HIGHCVSS 7.8EG 7.82026-05-20
Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.20…
- CVE-2026-0881CRITICALCVSS 10.0EG 10.02026-01-13
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
- CVE-2026-0977MEDIUMCVSS 5.1EG 5.12026-03-16
IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
- CVE-2026-1009CRITICALCVSS 9.0EG 9.02026-01-15
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored a…
- CVE-2026-10152MEDIUMCVSS 6.3EG 6.32026-05-30
A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The m…
- CVE-2026-10172MEDIUMCVSS 6.3EG 6.32026-05-31
A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The …
- CVE-2026-10205MEDIUMCVSS 6.3EG 6.32026-06-01
A security vulnerability has been detected in Metasoft 美特软件 MetaCRM 6.4.0. The impacted element is an unknown function of the file develop/systparam/softlogo/upload.jsp. Such manipulation leads to unrestricted upload. The attack ma…
- CVE-2026-10255MEDIUMCVSS 5.3EG 5.32026-06-01
A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper a…
- CVE-2026-10277MEDIUMCVSS 6.3EG 6.32026-06-01
A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation res…
- CVE-2026-1061MEDIUMCVSS 6.3EG 6.32026-01-17
A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unres…
- CVE-2026-1078HIGHCVSS 7.2EG 7.22026-04-07
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website …
- CVE-2026-1079MEDIUMCVSS 6.0EG 6.02026-04-07
A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that …
- CVE-2026-10806MEDIUMCVSS 6.3EG 6.32026-06-04
A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted uploa…
- CVE-2026-10807MEDIUMCVSS 6.3EG 6.32026-06-04
A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to…
- CVE-2026-11017MEDIUMCVSS 6.5EG 6.52026-06-04
Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity:…
- CVE-2026-11026MEDIUMCVSS 6.5EG 6.52026-06-04
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium securi…
- CVE-2026-1107MEDIUMCVSS 6.3EG 6.32026-01-18
A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted u…
- CVE-2026-11078MEDIUMCVSS 6.5EG 6.52026-06-04
Inappropriate implementation in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-11135MEDIUMCVSS 6.5EG 6.52026-06-04
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-1114CRITICALCVSS 9.8EG 9.82026-04-07
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offl…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →