CWE-284— Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.— MITRE CWE catalog
4,713 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-284page 94 of 95
- CVE-2026-6492MEDIUMCVSS 5.3EG 5.32026-04-17
A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. P…
- CVE-2026-6561MEDIUMCVSS 4.7EG 4.72026-04-19
A vulnerability was detected in EyouCMS up to 1.7.1. This issue affects the function edit_adminlogo of the file application/admin/controller/Index.php. Performing a manipulation of the argument filename results in unrestricted upload. The …
- CVE-2026-6596HIGHCVSS 7.3EG 7.32026-04-20
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results i…
- CVE-2026-6602HIGHCVSS 7.3EG 7.32026-04-20
A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic resul…
- CVE-2026-6650MEDIUMCVSS 4.7EG 4.72026-04-20
A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may…
- CVE-2026-7021LOWCVSS 3.5EG 3.52026-04-26
A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclos…
- CVE-2026-7041LOWCVSS 3.7EG 3.72026-04-26
A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in infor…
- CVE-2026-7043MEDIUMCVSS 6.3EG 6.32026-04-26
A vulnerability has been found in GreenCMS up to 2.3. This impacts the function pluginAddLocal of the file /index.php?m=admin&c=custom&a=pluginadd. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The ex…
- CVE-2026-7044MEDIUMCVSS 6.3EG 6.32026-04-26
A vulnerability was found in GreenCMS up to 2.3. Affected is the function themeadd of the file /index.php?m=admin&c=custom&a=themeadd. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has be…
- CVE-2026-7107MEDIUMCVSS 6.3EG 6.32026-04-27
A weakness has been identified in code-projects Invoice System in Laravel 1.0. The impacted element is an unknown function of the file /company. This manipulation of the argument logo causes unrestricted upload. The attack is possible to b…
- CVE-2026-7133MEDIUMCVSS 4.7EG 4.72026-04-27
A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initia…
- CVE-2026-7134MEDIUMCVSS 4.7EG 4.72026-04-27
A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launc…
- CVE-2026-7198CRITICALCVSS 9.8EG 9.82026-06-02
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integ…
- CVE-2026-7238MEDIUMCVSS 4.7EG 4.72026-04-28
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of t…
- CVE-2026-7373HIGHCVSS 8.5EG 8.52026-05-15
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which wo…
- CVE-2026-7393MEDIUMCVSS 4.7EG 4.72026-04-29
A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img res…
- CVE-2026-7468HIGHCVSS 7.3EG 7.32026-04-30
A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls.…
- CVE-2026-7578MEDIUMCVSS 4.7EG 4.72026-05-01
A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unre…
- CVE-2026-7673MEDIUMCVSS 4.7EG 4.72026-05-03
A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a …
- CVE-2026-7686MEDIUMCVSS 5.3EG 5.32026-05-03
A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results …
- CVE-2026-7696MEDIUMCVSS 6.3EG 6.32026-05-03
A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File res…
- CVE-2026-7711HIGHCVSS 7.3EG 7.32026-05-04
A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted…
- CVE-2026-7732MEDIUMCVSS 6.3EG 6.32026-05-04
A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. T…
- CVE-2026-7733HIGHCVSS 7.3EG 7.32026-05-04
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument F…
- CVE-2026-7813CRITICALCVSS 9.9EG 9.92026-05-11
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's id…
- CVE-2026-7862HIGHCVSS 8.6EG 8.62026-05-28
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's pay…
- CVE-2026-7959LOWCVSS 3.1EG 3.12026-05-06
Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-8026LOWCVSS 3.7EG 3.72026-05-06
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in…
- CVE-2026-8028LOWCVSS 3.7EG 3.72026-05-06
A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in informa…
- CVE-2026-8033MEDIUMCVSS 5.3EG 5.32026-05-06
A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosur…
- CVE-2026-8069HIGHCVSS 8.5EG 8.52026-05-08
PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigure…
- CVE-2026-8127MEDIUMCVSS 6.3EG 6.32026-05-08
A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be exec…
- CVE-2026-8147HIGHCVSS 8.1EG 8.12026-07-02
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace o…
- CVE-2026-8233MEDIUMCVSS 4.6EG 4.62026-05-10
A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The ex…
- CVE-2026-8240MEDIUMCVSS 5.3EG 5.32026-05-21
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, descri…
- CVE-2026-8545LOWCVSS 3.1EG 3.12026-05-14
Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-8556LOWCVSS 3.1EG 3.12026-05-14
Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Hi…
- CVE-2026-8566MEDIUMCVSS 4.3EG 4.32026-05-14
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-8586MEDIUMCVSS 5.5EG 5.52026-05-14
Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: Medium)
- CVE-2026-8750MEDIUMCVSS 5.3EG 5.32026-05-17
A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to infor…
- CVE-2026-8752MEDIUMCVSS 5.3EG 5.32026-05-17
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler…
- CVE-2026-8758HIGHCVSS 7.3EG 7.32026-05-17
A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The at…
- CVE-2026-8766MEDIUMCVSS 4.3EG 4.32026-05-17
A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_C…
- CVE-2026-9085HIGHCVSS 8.8EG 8.82026-07-05
Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing. This issue affects Pardus-Parental-Contro…
- CVE-2026-9223MEDIUMCVSS 4.3EG 4.32026-05-26
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier... Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated…
- CVE-2026-9349MEDIUMCVSS 5.3EG 5.32026-05-24
A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React …
- CVE-2026-9352MEDIUMCVSS 5.3EG 5.32026-05-24
A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lea…
- CVE-2026-9374MEDIUMCVSS 6.3EG 6.32026-05-24
A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload.…
- CVE-2026-9412MEDIUMCVSS 6.3EG 6.32026-05-25
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remo…
- CVE-2026-9421HIGHCVSS 7.3EG 7.32026-05-25
A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiat…
Map vulnerabilities like CWE-284 to your infrastructure
EchelonGraph correlates every CVE — across CWE-284 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →