VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 3 of 135
  • CVE-2026-46824CriMay 28, 2026
    risk 0.64cvss 9.9epss 0.00

    Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access…

  • CVE-2026-46822CriMay 28, 2026
    risk 0.64cvss 9.9epss 0.00

    Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle…

  • CVE-2026-46775CriMay 28, 2026
    risk 0.64cvss 9.9epss 0.00

    Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability…

  • CVE-2026-48904CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

  • CVE-2026-48899CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-48898CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows privilege escalation through the com_users batch task.

  • CVE-2026-35223CriMay 26, 2026
    risk 0.64cvss 9.8epss 0.00

    An improper access check allows unauthorized access to com_config webservice endpoints.

  • CVE-2026-44277CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests.

  • CVE-2026-42823CriMay 12, 2026
    risk 0.64cvss 9.9epss 0.01

    Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

  • CVE-2025-69691CriMay 8, 2026
    risk 0.64cvss 9.9epss 0.01

    Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

  • CVE-2026-33109CriMay 7, 2026
    risk 0.64cvss 9.9epss 0.01

    Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

  • CVE-2026-31843CriApr 16, 2026
    risk 0.64cvss 9.8epss 0.02

    The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication…

  • CVE-2026-22564CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.00

    An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version…

  • CVE-2026-31282CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.00

    Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier…

  • CVE-2026-31272CriApr 7, 2026
    risk 0.64cvss 9.8epss 0.01

    MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication.

  • CVE-2026-21994CriMar 17, 2026
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network…

  • CVE-2025-66956CriMar 11, 2026
    risk 0.64cvss 9.9epss 0.01

    Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote attackers to access and execute attachments via a computable URL.

  • CVE-2026-2550CriFeb 16, 2026
    risk 0.64cvss 9.8epss 0.01

    A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used.…

  • CVE-2025-8025CriFeb 11, 2026
    risk 0.64cvss 9.8epss 0.01

    Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dinosoft ERP: from < 3.0.1 through 11022026. NOTE: The vendor was…

  • CVE-2025-43027CriOct 30, 2025
    risk 0.64cvss 9.8epss 0.00

    A critical severity vulnerability has been identified in the ALPR Manager role of Security Center that could allow attackers to gain administrative access to the Genetec Security Center system. The Genetec engineering team discovered this issue internally. There is currently no…