VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 20 of 135
  • CVE-2025-46816CriMay 6, 2025
    risk 0.54cvss 9.4epss 0.01

    goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing…

  • CVE-2024-48955HigOct 29, 2024
    risk 0.54cvss 8.1epss 0.01

    Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that "assembles" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of…

  • CVE-2015-1336HigSep 28, 2017
    risk 0.54cvss 7.8epss 0.01

    The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use.

  • CVE-2016-7054HigMay 4, 2017
    risk 0.54cvss 7.5epss 0.32

    In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.

  • CVE-2016-6255HigMar 7, 2017
    risk 0.54cvss 7.5epss 0.27

    Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.

  • CVE-2015-8973HigJan 31, 2017
    risk 0.54cvss 8.3epss 0.02

    xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.

  • CVE-2026-50891HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

  • CVE-2026-50881HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.

  • CVE-2026-50875HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

  • CVE-2026-48610HigJun 12, 2026
    risk 0.53cvss 8.1epss 0.00

    Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.

  • CVE-2026-44249HigJun 11, 2026
    risk 0.53cvss 8.1epss 0.01

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid…

  • CVE-2026-47907HigJun 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.…

  • CVE-2026-36720HigJun 9, 2026
    risk 0.53cvss 8.1epss 0.00

    Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type.

  • CVE-2026-46828HigMay 28, 2026
    risk 0.53cvss 8.1epss 0.00

    Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle…

  • CVE-2026-35277HigMay 28, 2026
    risk 0.53cvss 8.1epss 0.00

    Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of…

  • CVE-2026-48906HigMay 27, 2026
    risk 0.53cvss 8.1epss 0.00

    The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.

  • CVE-2026-34358HigMay 19, 2026
    risk 0.53cvss 8.1epss 0.00

    CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write…

  • CVE-2026-42222HigMay 4, 2026
    risk 0.53cvss 8.1epss 0.00

    Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.

  • CVE-2025-67796HigMay 4, 2026
    risk 0.53cvss 8.1epss 0.00

    IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or…

  • CVE-2026-40904HigApr 30, 2026
    risk 0.53cvss 8.1epss 0.00

    Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead…