CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,712 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 93 of 95
- CVE-2026-55119HIGHCVSS 8.1EG 8.12026-07-02
A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application.
- CVE-2026-55234HIGHCVSS 8.5EG 8.52026-07-15
Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize against the stored source boardId and do …
- CVE-2026-5526HIGHCVSS 7.3EG 7.32026-04-04
A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attac…
- CVE-2026-5546MEDIUMCVSS 6.3EG 6.32026-04-05
A flaw has been found in Campcodes Complete Online Learning Management System 1.0. This impacts the function add_lesson of the file /application/models/Crud_model.php. This manipulation causes unrestricted upload. It is possible to initiat…
- CVE-2026-55548MEDIUMCVSS 4.3EG 4.32026-07-16
Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level ReadPacket privileges when a request omit…
- CVE-2026-55670LOWCVSS 2.3EG 2.32026-06-18
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in anot…
- CVE-2026-5569HIGHCVSS 7.3EG 7.32026-04-05
A vulnerability was found in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Impacted is an unknown function of the file /Technostrobe/ of the component Endpoint. The manipulation results in improper access controls. The attack may be perfor…
- CVE-2026-5571MEDIUMCVSS 5.3EG 5.32026-04-05
A vulnerability was identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. The impacted element is an unknown function of the file /fs of the component Configuration Data Handler. Such manipulation of the argument File leads to inform…
- CVE-2026-5573HIGHCVSS 7.3EG 7.32026-04-05
A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remo…
- CVE-2026-5576MEDIUMCVSS 4.7EG 4.72026-04-05
A flaw has been found in SourceCodester/jkev Record Management System 1.0. Affected by this issue is some unknown functionality of the file save_emp.php of the component Add Employee Page. This manipulation causes unrestricted upload. Remo…
- CVE-2026-5585MEDIUMCVSS 5.3EG 5.32026-04-05
A vulnerability was found in Tencent AI-Infra-Guard 4.0. The affected element is an unknown function of the file common/websocket/task_manager.go of the component Task Detail Endpoint. Performing a manipulation results in information discl…
- CVE-2026-5601MEDIUMCVSS 5.3EG 5.32026-04-05
A vulnerability was found in Acrel Electrical Prepaid Cloud Platform 1.0. This issue affects some unknown processing of the file /bin.rar of the component Backup File Handler. The manipulation results in information disclosure. The attack …
- CVE-2026-56050MEDIUMCVSS 6.5EG 6.52026-06-25
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting... Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. …
- CVE-2026-56082HIGHCVSS 7.5EG 7.52026-06-19
Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase pu…
- CVE-2026-56157MEDIUMCVSS 5.4EG 5.42026-07-14
Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
- CVE-2026-56217MEDIUMCVSS 4.3EG 4.32026-07-08
Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly upda…
- CVE-2026-56253HIGHCVSS 7.5EG 7.52026-06-21
Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the pu…
- CVE-2026-56257HIGHCVSS 7.1EG 7.12026-06-24
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owne…
- CVE-2026-56290CRITICALCVSS 9.8EG 9.8⚠ KEV2026-06-29
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
- CVE-2026-56302MEDIUMCVSS 6.5EG 6.52026-06-24
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delet…
- CVE-2026-56334MEDIUMCVSS 4.3EG 4.32026-07-01
Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status a…
- CVE-2026-56335MEDIUMCVSS 6.5EG 6.52026-07-10
Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability tri…
- CVE-2026-5670MEDIUMCVSS 6.3EG 6.32026-04-06
A vulnerability was found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This issue affects the function move_uploaded_file of the file /AssignmentSection/submission/upload.php. Performing a manipula…
- CVE-2026-56823MEDIUMCVSS 5.4EG 5.42026-06-26
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary ke…
- CVE-2026-57088HIGHCVSS 7.8EG 7.82026-07-14
Improper access control in Extensible Storage Engine (ESENT) allows an authorized attacker to elevate privileges locally.
- CVE-2026-5779HIGHCVSS 8.8EG 8.82026-04-28
An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Succ…
- CVE-2026-5780HIGHCVSS 8.1EG 8.12026-04-28
An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other r…
- CVE-2026-57855HIGHCVSS 8.8EG 8.82026-07-13
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfol…
- CVE-2026-5786HIGHCVSS 8.8EG 8.82026-05-07
An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.
- CVE-2026-5788HIGHCVSS 7.0EG 7.02026-05-07
An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.
- CVE-2026-58282HIGHCVSS 8.1EG 8.12026-07-03
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-58286HIGHCVSS 8.1EG 8.12026-07-03
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-58421HIGHCVSS 7.5EG 7.52026-07-03
Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service
- CVE-2026-58422CRITICALCVSS 9.8EG 9.82026-07-03
Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts
- CVE-2026-5847MEDIUMCVSS 4.3EG 4.32026-04-09
A vulnerability has been found in code-projects Movie Ticketing System 1.0. Impacted is an unknown function of the file /db/moviedb.sql of the component SQL Database Backup File Handler. Such manipulation leads to information disclosure. T…
- CVE-2026-58523MEDIUMCVSS 6.5EG 6.52026-07-03
Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-58525HIGHCVSS 8.2EG 8.22026-07-08
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
- CVE-2026-58545MEDIUMCVSS 5.5EG 5.52026-07-14
Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.
- CVE-2026-58617HIGHCVSS 8.1EG 8.12026-07-14
Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-5863HIGHCVSS 8.8EG 8.82026-04-08
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-5881MEDIUMCVSS 6.5EG 6.52026-04-08
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-5960MEDIUMCVSS 4.3EG 4.32026-04-09
A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to informatio…
- CVE-2026-59720HIGHCVSS 7.5EG 7.52026-07-09
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked …
- CVE-2026-6000MEDIUMCVSS 4.3EG 4.32026-04-10
A vulnerability was found in code-projects Online Library Management System 1.0. Affected is an unknown function of the file /sql/library.sql of the component SQL Database Backup File Handler. Performing a manipulation results in informati…
- CVE-2026-6201MEDIUMCVSS 5.4EG 5.42026-04-13
A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to impr…
- CVE-2026-62314MEDIUMCVSS 5.8EG 5.82026-07-15
Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. From 1.22.0 until 1.26.0-pre1, lib/policy/checker.go PathChecker.Check() trusted the client-controlled X-Origi…
- CVE-2026-6312LOWCVSS 3.1EG 3.12026-04-15
Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-6313LOWCVSS 3.1EG 3.12026-04-15
Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-6489MEDIUMCVSS 6.3EG 6.32026-04-17
A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation …
- CVE-2026-6492MEDIUMCVSS 5.3EG 5.32026-04-17
A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. P…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →