CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,700 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 79 of 94
- CVE-2026-1879MEDIUMCVSS 6.3EG 6.32026-04-01
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo res…
- CVE-2026-1895MEDIUMCVSS 6.3EG 6.32026-02-04
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be exe…
- CVE-2026-1896MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The m…
- CVE-2026-1898MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initi…
- CVE-2026-1933MEDIUMCVSS 6.5EG 7.12026-05-27
A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete re…
- CVE-2026-1962MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack…
- CVE-2026-1963MEDIUMCVSS 6.3EG 6.32026-02-05
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotel…
- CVE-2026-1964MEDIUMCVSS 4.3EG 4.32026-02-05
A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possi…
- CVE-2026-20073MEDIUMCVSS 5.8EG 5.82026-03-04
A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an af…
- CVE-2026-2009MEDIUMCVSS 6.3EG 6.32026-02-06
A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possi…
- CVE-2026-20167HIGHCVSS 7.7EG 7.72026-05-06
A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due…
- CVE-2026-20203MEDIUMCVSS 4.3EG 4.32026-04-15
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold…
- CVE-2026-20259MEDIUMCVSS 5.5EG 5.52026-06-10
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-pr…
- CVE-2026-2054MEDIUMCVSS 5.3EG 5.32026-02-06
A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be init…
- CVE-2026-2055MEDIUMCVSS 5.3EG 5.32026-02-06
A weakness has been identified in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The affected element is an unknown function of the component DHCP Client Information Handler. Executing a manipulation can lead to information disclosure. The …
- CVE-2026-2056MEDIUMCVSS 5.3EG 5.32026-02-06
A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulatio…
- CVE-2026-20601LOWCVSS 3.3EG 3.32026-02-11
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission.
- CVE-2026-20603MEDIUMCVSS 4.4EG 4.42026-02-11
This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26.3. An app with root privileges may be able to access private information.
- CVE-2026-20628HIGHCVSS 7.1EG 7.12026-02-11
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 2…
- CVE-2026-20638MEDIUMCVSS 5.5EG 5.52026-02-11
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions.
- CVE-2026-20642LOWCVSS 2.4EG 2.42026-02-11
An input validation issue was addressed. This issue is fixed in iOS 26.3 and iPadOS 26.3. A person with physical access to an iOS device may be able to access photos from the lock screen.
- CVE-2026-20684LOWCVSS 3.3EG 3.32026-03-25
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.4. An app may bypass Gatekeeper checks.
- CVE-2026-20706CRITICALCVSS 9.1EG 9.12026-06-16
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.
- CVE-2026-20736HIGHCVSS 7.5EG 7.52026-01-22
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a diffe…
- CVE-2026-20744CRITICALCVSS 9.8EG 9.82026-07-10
The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.
- CVE-2026-2075MEDIUMCVSS 6.3EG 6.32026-02-07
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.…
- CVE-2026-20750CRITICALCVSS 9.1EG 9.12026-01-22
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
- CVE-2026-20825MEDIUMCVSS 4.4EG 4.42026-01-13
Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally.
- CVE-2026-20839MEDIUMCVSS 5.5EG 5.52026-01-13
Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally.
- CVE-2026-20843HIGHCVSS 7.8EG 7.82026-01-13
Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally.
- CVE-2026-20883MEDIUMCVSS 6.5EG 6.52026-01-22
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
- CVE-2026-20887HIGHCVSS 8.8EG 8.82026-05-12
Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may …
- CVE-2026-20888MEDIUMCVSS 4.3EG 4.32026-01-22
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
- CVE-2026-20896CRITICALCVSS 9.8EG 9.82026-07-03
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
- CVE-2026-20897CRITICALCVSS 9.1EG 9.12026-01-22
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
- CVE-2026-20904MEDIUMCVSS 6.5EG 6.52026-01-22
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
- CVE-2026-20909MEDIUMCVSS 5.3EG 5.32026-07-03
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
- CVE-2026-20912CRITICALCVSS 9.1EG 9.12026-01-22
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to u…
- CVE-2026-20929HIGHCVSS 7.5EG 7.52026-01-13
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
- CVE-2026-20949HIGHCVSS 7.8EG 7.82026-01-13
Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
- CVE-2026-21238HIGHCVSS 7.8EG 7.82026-02-10
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
- CVE-2026-21255HIGHCVSS 8.8EG 8.82026-02-10
Improper access control in Windows Hyper-V allows an authorized attacker to bypass a security feature locally.
- CVE-2026-21262HIGHCVSS 8.8EG 8.82026-03-10
Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
- CVE-2026-2133HIGHCVSS 7.3EG 7.32026-02-08
A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attac…
- CVE-2026-21447HIGHCVSS 7.1EG 7.12026-01-02
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's …
- CVE-2026-2146MEDIUMCVSS 6.3EG 6.32026-02-08
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument Fil…
- CVE-2026-2147MEDIUMCVSS 5.3EG 5.32026-02-08
A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack …
- CVE-2026-2148MEDIUMCVSS 5.3EG 5.32026-02-08
A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is pos…
- CVE-2026-21627NONECVSS 0.0EG 9.52026-02-20
The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.
- CVE-2026-21629HIGHCVSS 7.3EG 7.32026-04-01
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers.
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →