Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-65798

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-08 Dec, 2025 | 00:00
Updated At-08 Dec, 2025 | 17:26
Rejected At-
Credits

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:08 Dec, 2025 | 00:00
Updated At:08 Dec, 2025 | 17:26
Rejected At:
▼CVE Numbering Authority (CNA)

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://memos.com
N/A
http://usememos.com
N/A
https://github.com/usememos/memos/pull/5217
N/A
https://herolab.usd.de/security-advisories/usd-2025-0059/
N/A
Hyperlink: http://memos.com
Resource: N/A
Hyperlink: http://usememos.com
Resource: N/A
Hyperlink: https://github.com/usememos/memos/pull/5217
Resource: N/A
Hyperlink: https://herolab.usd.de/security-advisories/usd-2025-0059/
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:08 Dec, 2025 | 16:15
Updated At:09 Dec, 2025 | 17:28

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CPE Matches

Usememos
usememos
>>memos>>0.25.2
cpe:2.3:a:usememos:memos:0.25.2:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-284Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-284
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://memos.comcve@mitre.org
Permissions Required
http://usememos.comcve@mitre.org
Product
https://github.com/usememos/memos/pull/5217cve@mitre.org
Issue Tracking
Patch
https://herolab.usd.de/security-advisories/usd-2025-0059/cve@mitre.org
Exploit
Third Party Advisory
Hyperlink: http://memos.com
Source: cve@mitre.org
Resource:
Permissions Required
Hyperlink: http://usememos.com
Source: cve@mitre.org
Resource:
Product
Hyperlink: https://github.com/usememos/memos/pull/5217
Source: cve@mitre.org
Resource:
Issue Tracking
Patch
Hyperlink: https://herolab.usd.de/security-advisories/usd-2025-0059/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

64Records found

CVE-2022-4802
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-0.57% / 42.88%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in usememos/memos

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-4811
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.56% / 42.72%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass Through User-Controlled Key in usememos/memos

Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-4814
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.6||HIGH
EPSS-0.53% / 41.16%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2022-4689
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.74% / 50.16%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2025-65795
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.27% / 18.94%
||
7 Day CHG~0.00%
Published-08 Dec, 2025 | 00:00
Updated-09 Dec, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-65797
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 21.71%
||
7 Day CHG~0.00%
Published-08 Dec, 2025 | 00:00
Updated-11 Dec, 2025 | 00:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-284
Improper Access Control
CVE-2022-4809
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.3||HIGH
EPSS-0.91% / 55.65%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2022-4810
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.46% / 36.98%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2022-4807
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.2||HIGH
EPSS-0.57% / 43.04%
||
7 Day CHG~0.00%
Published-28 Dec, 2022 | 00:00
Updated-10 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2022-4684
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.6||HIGH
EPSS-0.61% / 44.71%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 00:00
Updated-09 Apr, 2025 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2025-65796
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.14%
||
7 Day CHG~0.00%
Published-08 Dec, 2025 | 00:00
Updated-09 Dec, 2025 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.

Action-Not Available
Vendor-n/aUsememos
Product-memosn/a
CWE ID-CWE-284
Improper Access Control
CVE-2023-4696
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-6
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.90% / 55.24%
||
7 Day CHG~0.00%
Published-01 Sep, 2023 | 00:00
Updated-30 Sep, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-284
Improper Access Control
CVE-2023-1883
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.49% / 38.67%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-10 Feb, 2025 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in thorsten/phpmyfaq

Improper Access Control in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaqthorsten/phpmyfaq
CWE ID-CWE-284
Improper Access Control
CVE-2025-43495
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.88%
||
7 Day CHG+0.01%
Published-04 Nov, 2025 | 01:16
Updated-02 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osipadosiOS and iPadOS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2024-28967
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 26.88%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 14:57
Updated-06 Aug, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.

Action-Not Available
Vendor-Dell Inc.
Product-secure_connect_gatewaySecure Connect Gateway-ApplicationSecure Connect Gateway-Appliancesecure_connect_gateway_applicationsecure_connect_gateway_appliance
CWE ID-CWE-284
Improper Access Control
CVE-2024-28968
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 26.88%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 15:01
Updated-06 Aug, 2024 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.

Action-Not Available
Vendor-Dell Inc.
Product-secure_connect_gatewaySecure Connect Gateway-ApplicationSecure Connect Gateway-Appliancesecure_connect_gateway_applicationsecure_connect_gateway_appliance
CWE ID-CWE-284
Improper Access Control
CVE-2024-28965
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-5.4||MEDIUM
EPSS-0.35% / 26.88%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 14:47
Updated-06 Aug, 2024 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.

Action-Not Available
Vendor-Dell Inc.
Product-secure_connect_gatewaySecure Connect Gateway-ApplicationSecure Connect Gateway-Appliance
CWE ID-CWE-284
Improper Access Control
CVE-2022-36923
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-7.93% / 94.02%
||
7 Day CHG~0.00%
Published-10 Aug, 2022 | 14:17
Updated-24 Sep, 2025 | 19:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_opmanagermanageengine_opmanager_plusmanageengine_netflow_analyzermanageengine_opmanager_mspmanageengine_oputilsmanageengine_network_configuration_managermanageengine_firewall_analyzern/a
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-755
Improper Handling of Exceptional Conditions
CVE-2026-56823
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.56%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 16:02
Updated-26 Jun, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutoGPT: IDOR in Webhook Ping Endpoint Allows Enumeration and Cross-User Ping Triggering

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the authenticated user. Any authenticated user can supply an arbitrary webhook_id to confirm webhook existence, leak the webhook's OAuth provider type, and in some cases trigger a ping delivery on behalf of another user. This vulnerability is fixed in .

Action-Not Available
Vendor-Significant-Gravitas
Product-AutoGPT
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-48928
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-4.2||MEDIUM
EPSS-0.26% / 16.92%
||
7 Day CHG+0.01%
Published-26 Jun, 2026 | 01:14
Updated-26 Jun, 2026 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsnode
CWE ID-CWE-284
Improper Access Control
CVE-2022-3066
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.09%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-284
Improper Access Control
CVE-2026-44783
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.36%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 20:23
Updated-17 Jun, 2026 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-284
Improper Access Control
CVE-2022-28754
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-7.1||HIGH
EPSS-0.49% / 38.32%
||
7 Day CHG~0.00%
Published-11 Aug, 2022 | 14:55
Updated-16 Sep, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zoom On-Premise Deployments: Improper Access Control Vulnerability

Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.

Action-Not Available
Vendor-Zoom Communications, Inc.
Product-meeting_connectorZoom On-Premise Meeting Connector MMR
CWE ID-CWE-284
Improper Access Control
CVE-2022-26308
Matching Score-4
Assigner-Pandora FMS
ShareView Details
Matching Score-4
Assigner-Pandora FMS
CVSS Score-3.7||LOW
EPSS-0.33% / 25.11%
||
7 Day CHG~0.00%
Published-01 Aug, 2022 | 12:44
Updated-17 Sep, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in Configuration (Credential store)

Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.

Action-Not Available
Vendor-Pandora FMS S.L.U.
Product-pandora_fmsPandora FMS
CWE ID-CWE-284
Improper Access Control
CVE-2025-30760
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.21%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-16 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-JD Edwards EnterpriseOne Tools
CWE ID-CWE-284
Improper Access Control
CVE-2025-29557
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.70%
||
7 Day CHG+0.01%
Published-31 Jul, 2025 | 00:00
Updated-31 Jul, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CVE-2026-41243
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.18% / 7.42%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 00:09
Updated-29 Apr, 2026 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenLearn's pending forum posts remain publicly readable by direct ID when moderation mode is enabled

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when `safeMode` is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit 844b2a40a69d0c4911580fe501923f0b391313ab fixes the issue.

Action-Not Available
Vendor-siemvksiemvk
Product-openlearnOpenLearn
CWE ID-CWE-284
Improper Access Control
CVE-2025-2499
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.36% / 28.37%
||
7 Day CHG+0.02%
Published-26 Mar, 2025 | 17:14
Updated-02 Jul, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-284
Improper Access Control
CVE-2026-41487
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.18% / 7.90%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 14:27
Updated-13 May, 2026 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Langfuse: Improper role-based-access control in Langfuse LLM connection management allowed users of role “member” to retrieve stored LLM provider API keys

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has “member” scoped access. This issue has been patched in version 3.167.0.

Action-Not Available
Vendor-langfuselangfuse
Product-langfuselangfuse
CWE ID-CWE-284
Improper Access Control
CVE-2025-20324
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.55%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 17:48
Updated-21 Jul, 2025 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in System Source Types Configuration in Splunk Enterprise

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

Action-Not Available
Vendor-Splunk LLC (Cisco Systems, Inc.)
Product-splunksplunk_cloud_platformSplunk EnterpriseSplunk Enterprise Cloud
CWE ID-CWE-284
Improper Access Control
CVE-2022-28753
Matching Score-4
Assigner-Zoom Video Communications, Inc.
ShareView Details
Matching Score-4
Assigner-Zoom Video Communications, Inc.
CVSS Score-7.1||HIGH
EPSS-0.46% / 36.53%
||
7 Day CHG~0.00%
Published-11 Aug, 2022 | 14:55
Updated-16 Sep, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Zoom On-Premise Deployments: Improper Access Control Vulnerability

Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.

Action-Not Available
Vendor-Zoom Communications, Inc.
Product-meeting_connectorZoom On-Premise Meeting Connector MMR
CWE ID-CWE-284
Improper Access Control
CVE-2022-1656
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.51% / 39.94%
||
7 Day CHG+0.01%
Published-13 Jun, 2022 | 12:41
Updated-13 Feb, 2025 | 20:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation and Settings Modification

Vulnerable versions of the JupiterX Theme (<=2.0.6) allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin (<=2.0.6). This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Action-Not Available
Vendor-artbeesArtBees
Product-jupiter_x_corejupiterxJupiter X CoreJupiter X
CWE ID-CWE-284
Improper Access Control
CVE-2020-15079
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.58% / 43.43%
||
7 Day CHG~0.00%
Published-02 Jul, 2020 | 16:45
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control in PrestaShop

In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6

Action-Not Available
Vendor-PrestaShop S.A
Product-prestashopPrestaShop
CWE ID-CWE-284
Improper Access Control
CVE-2025-1391
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 29.80%
||
7 Day CHG~0.00%
Published-17 Feb, 2025 | 14:01
Updated-06 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-services: improper authorization in keycloak organization mapper allows unauthorized organization claims

A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Build of KeycloakRed Hat build of Keycloak 26.0
CWE ID-CWE-284
Improper Access Control
CVE-2026-39346
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 4.84%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 18:19
Updated-09 Apr, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1.

Action-Not Available
Vendor-orangehrmorangehrm
Product-orangehrmorangehrm
CWE ID-CWE-284
Improper Access Control
CVE-2023-6547
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.7||LOW
EPSS-0.32% / 23.58%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 08:22
Updated-12 May, 2025 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Playbooks access/modification by removed team member

Mattermost fails to validate team membership when a user attempts to access a playbook, allowing a user with permissions to a playbook but no permissions to the team the playbook is on to access and modify the playbook. This can happen if the user was once a member of the team, got permissions to the playbook and was then removed from the team. 

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-284
Improper Access Control
CVE-2024-7424
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 23.96%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 07:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Page Generator Plugin – MPG <= 4.0.1 - Missing Authorization

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects.

Action-Not Available
Vendor-Themeisle
Product-Multiple Page Generator Plugin – MPG
CWE ID-CWE-284
Improper Access Control
CVE-2025-65963
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 5.28%
||
7 Day CHG~0.00%
Published-25 Nov, 2025 | 23:38
Updated-01 Dec, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CFiles Unauthorized Folder/ZIP Access in Public Spaces

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2.

Action-Not Available
Vendor-humhub
Product-cfiles
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-285
Improper Authorization
CVE-2023-7055
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.47% / 37.08%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 02:31
Updated-02 Aug, 2024 | 08:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHPGurukul Online Notes Sharing System Contact Information profile.php access control

A vulnerability classified as problematic has been found in PHPGurukul Online Notes Sharing System 1.0. Affected is an unknown function of the file /user/profile.php of the component Contact Information Handler. The manipulation of the argument mobilenumber leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-248742 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-PHPGurukul LLP
Product-online_notes_sharing_systemOnline Notes Sharing System
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2019-14902
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-1.52% / 71.53%
||
7 Day CHG~0.00%
Published-21 Jan, 2020 | 00:00
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.

Action-Not Available
Vendor-[UNKNOWN]Canonical Ltd.Debian GNU/LinuxopenSUSESamba
Product-ubuntu_linuxdebian_linuxsambaleapsamba
CWE ID-CWE-284
Improper Access Control
CVE-2023-50344
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.28% / 19.55%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 02:25
Updated-18 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated File Downloads affect DRYiCE MyXalytics

HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-284
Improper Access Control
CVE-2023-47325
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.42% / 33.91%
||
7 Day CHG~0.00%
Published-13 Dec, 2023 | 00:00
Updated-22 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.

Action-Not Available
Vendor-silverpeasn/a
Product-silverpeasn/a
CWE ID-CWE-284
Improper Access Control
CVE-2023-41882
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.40% / 32.00%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 19:48
Updated-17 Sep, 2024 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vantage6 Improper Access Control vulnerability

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version 4.0.0, it is only checked if the user has permission to view the collaboration. Version 4.0.0 contains a patch. There are no known workarounds.

Action-Not Available
Vendor-vantage6vantage6
Product-vantage6vantage6
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-3304
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.9||MEDIUM
EPSS-0.41% / 33.42%
||
7 Day CHG~0.00%
Published-23 Jun, 2023 | 00:00
Updated-07 Nov, 2024 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in admidio/admidio

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

Action-Not Available
Vendor-Admidio
Product-admidioadmidio/admidioadmidio
CWE ID-CWE-284
Improper Access Control
CVE-2023-32238
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.25%
||
7 Day CHG~0.00%
Published-29 Dec, 2025 | 23:18
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress TheGem theme < 5.8.1.1 - Broken Access Control vulnerability

Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1.

Action-Not Available
Vendor-CodexThemes
Product-TheGem (WPBakery)TheGem (Elementor)
CWE ID-CWE-284
Improper Access Control
CVE-2025-58337
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 25.55%
||
7 Day CHG+0.04%
Published-05 Nov, 2025 | 09:26
Updated-12 Nov, 2025 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

Action-Not Available
Vendor-The Apache Software Foundation
Product-doris_mcp_serverApache Doris-MCP-Server
CWE ID-CWE-284
Improper Access Control
CVE-2023-2944
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.45% / 35.83%
||
7 Day CHG~0.00%
Published-27 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in openemr/openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-284
Improper Access Control
CVE-2023-2104
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 35.83%
||
7 Day CHG~0.00%
Published-15 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in alextselegidis/easyappointments

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Action-Not Available
Vendor-easyappointmentsalextselegidis
Product-easyappointmentsalextselegidis/easyappointments
CWE ID-CWE-284
Improper Access Control
CVE-2026-28218
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.15% / 4.62%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 21:23
Updated-02 Mar, 2026 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-discoursediscourse
CWE ID-CWE-284
Improper Access Control
CVE-2021-24635
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.61% / 45.09%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

Action-Not Available
Vendor-bootstrappedUnknown
Product-visual_link_previewVisual Link Preview
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • Next
Details not found