VYPR

CWE-284

Improper Access Control

PillarIncomplete

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578

CVEs mapped to this weakness (2,700)

page 33 of 135
  • CVE-2026-30994HigApr 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.

  • CVE-2026-22566HigApr 13, 2026
    risk 0.49cvss 7.5epss 0.00

    An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
…

  • CVE-2026-23782HigApr 10, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations,…

  • CVE-2025-56015HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint.

  • CVE-2026-35185HigApr 6, 2026
    risk 0.49cvss 7.5epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration…

  • CVE-2024-44303HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1. A malicious application may be able to modify protected parts of the file system.

  • CVE-2024-44219HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.1. A malicious application with root privileges may be able to access private information.

  • CVE-2026-30689HigMar 27, 2026
    risk 0.49cvss 7.5epss 0.00

    A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.

  • CVE-2025-70363HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs.

  • CVE-2026-27449HigFeb 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed…

  • CVE-2026-2250HigFeb 11, 2026
    risk 0.49cvss 7.5epss 0.00

    The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing…

  • CVE-2025-69907HigJan 23, 2026
    risk 0.49cvss 7.5epss 0.01

    An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal…

  • CVE-2025-43502HigNov 4, 2025
    risk 0.49cvss 7.5epss 0.00

    A privacy issue was addressed by removing sensitive data. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1. An app may be able to bypass certain Privacy preferences.

  • CVE-2025-43413HigNov 4, 2025
    risk 0.49cvss 7.5epss 0.01

    An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. A sandboxed app may be able to observe system-wide network…

  • CVE-2025-63423HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 was discovered to store the Administrator password.

  • CVE-2025-63422HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    Incorrect access control in the Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to arbitrarily change the administrator username and password via sending a crafted GET request.

  • CVE-2025-61120HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    AG Life Logger Android App version v1.0.2.72 and before (package name com.donki.healthy), developed by IO FIT, K.K., contains improper access control vulnerabilities. Exposed credentials in traffic may allow attackers to misuse cloud resources, and predictable verification codes…

  • CVE-2025-61119HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request…

  • CVE-2025-61114HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first character of the user_token, enabling…

  • CVE-2025-61118HigOct 30, 2025
    risk 0.49cvss 7.5epss 0.00

    mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized…