VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 10 of 135
  • CVE-2026-50886CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.00

    Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.

  • CVE-2026-45177CriJun 11, 2026
    risk 0.59cvss epss 0.01

    Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow…

  • CVE-2026-45746CriJun 5, 2026
    risk 0.59cvss 9.0epss 0.00

    Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId…

  • CVE-2026-46819CriMay 28, 2026
    risk 0.59cvss 9.1epss 0.00

    Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP…

  • CVE-2026-49002CriMay 27, 2026
    risk 0.59cvss 9.1epss 0.00

    Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information.

  • CVE-2023-24215CriMay 18, 2026
    risk 0.59cvss 9.1epss 0.00

    Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.

  • CVE-2026-34287CriApr 21, 2026
    risk 0.59cvss 9.1epss 0.00

    Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise…

  • CVE-2021-4477CriApr 3, 2026
    risk 0.59cvss 9.1epss 0.00

    Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or…

  • CVE-2025-69634CriFeb 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…

  • CVE-2026-1181CriJan 19, 2026
    risk 0.59cvss 9.0epss 0.00

    Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on…

  • CVE-2025-13828CriDec 2, 2025
    risk 0.59cvss epss 0.00

    SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain…

  • CVE-2025-60291CriOct 27, 2025
    risk 0.59cvss 9.1epss 0.00

    An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations.

  • CVE-2025-57567CriOct 17, 2025
    risk 0.59cvss 9.1epss 0.01

    A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code…

  • CVE-2025-57247CriOct 6, 2025
    risk 0.59cvss 9.1epss 0.00

    The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base…

  • CVE-2025-54391CriSep 16, 2025
    risk 0.59cvss 9.1epss 0.01

    A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party…

  • CVE-2024-45438CriAug 21, 2025
    risk 0.59cvss 9.1epss 0.01

    An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a…

  • CVE-2025-49603CriJun 26, 2025
    risk 0.59cvss 9.1epss 0.00

    Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control.

  • CVE-2025-28233CriApr 18, 2025
    risk 0.59cvss 9.1epss 0.00

    Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to…

  • CVE-2025-28231CriApr 18, 2025
    risk 0.59cvss 9.1epss 0.00

    Incorrect access control in Itel Electronics IP Stream v1.7.0.6 allows unauthorized attackers to execute arbitrary commands with Administrator privileges.

  • CVE-2025-3113CriApr 17, 2025
    risk 0.59cvss epss 0.00

    A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to…