VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 12 of 135
  • CVE-2016-7408HigMar 3, 2017
    risk 0.58cvss 8.8epss 0.04

    The dbclient in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via a crafted (1) -m or (2) -c argument.

  • CVE-2016-4286HigOct 13, 2016
    risk 0.58cvss 8.8epss 0.06

    Adobe Flash Player before 18.0.0.382 and 19.x through 23.x before 23.0.0.185 on Windows and OS X and before 11.2.202.637 on Linux allows attackers to bypass intended access restrictions via unspecified vectors.

  • CVE-2016-0183HigMay 11, 2016
    risk 0.58cvss 8.8epss 0.16

    The Windows font library in Microsoft Office 2010 SP2, Word 2010 SP2, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Microsoft Office Graphics RCE…

  • CVE-2026-50884HigJun 15, 2026
    risk 0.57cvss 8.8epss 0.00

    Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

  • CVE-2026-50564CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the…

  • CVE-2026-50563CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it…

  • CVE-2026-50545CriJun 10, 2026
    risk 0.57cvss 9.9epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec…

  • CVE-2026-46614CriJun 10, 2026
    risk 0.57cvss 9.8epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/ and…

  • CVE-2026-11179HigJun 4, 2026
    risk 0.57cvss 8.8epss 0.00

    Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-5228HigJun 4, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.

  • CVE-2026-42074CriJun 2, 2026
    risk 0.57cvss 9.8epss 0.01

    OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own…

  • CVE-2026-9614HigJun 1, 2026
    risk 0.57cvss 8.8epss 0.01

    An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

  • CVE-2026-46827HigMay 28, 2026
    risk 0.57cvss 8.8epss 0.00

    Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle…

  • CVE-2026-44926HigMay 20, 2026
    risk 0.57cvss 8.8epss 0.00

    InfoScale CmdServer before 7.4.2 mishandles access control.

  • CVE-2026-44774CriMay 15, 2026
    risk 0.57cvss 9.9epss 0.00

    Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.46, 3.6.17, and 3.7.1, Traefik's Kubernetes Gateway API provider allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The…

  • CVE-2024-36323HigMay 15, 2026
    risk 0.57cvss epss 0.00

    Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a victim VM/process, potentially gaining arbitrary read/write access to the victim…

  • CVE-2026-41086HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-40420HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

  • CVE-2025-43524HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.2. An app may be able to break out of its sandbox.

  • CVE-2026-20887HigMay 12, 2026
    risk 0.57cvss epss 0.00

    Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This…