Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-20896

Summary
Assigner-Gitea
Assigner Org ID-88ee5874-cf24-4952-aea0-31affedb7ff2
Published At-03 Jul, 2026 | 20:19
Updated At-03 Jul, 2026 | 20:19
Rejected At-
Credits

Gitea Docker image trusts spoofable reverse-proxy headers by default

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Gitea
Assigner Org ID:88ee5874-cf24-4952-aea0-31affedb7ff2
Published At:03 Jul, 2026 | 20:19
Updated At:03 Jul, 2026 | 20:19
Rejected At:
â–¼CVE Numbering Authority (CNA)
Gitea Docker image trusts spoofable reverse-proxy headers by default

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

Affected Products
Vendor
Gitea
Product
Gitea Open Source Git Server
Default Status
unaffected
Versions
Affected
  • From 0 through 1.26.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284
Type: CWE
CWE ID: CWE-284
Description: CWE-284
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
rz1027
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
vendor-advisory
https://github.com/go-gitea/gitea/pull/38151
patch
https://github.com/go-gitea/gitea/releases/tag/v1.26.3
release-notes
https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
release-notes
Hyperlink: https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
Resource:
vendor-advisory
Hyperlink: https://github.com/go-gitea/gitea/pull/38151
Resource:
patch
Hyperlink: https://github.com/go-gitea/gitea/releases/tag/v1.26.3
Resource:
release-notes
Hyperlink: https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
Resource:
release-notes
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:88ee5874-cf24-4952-aea0-31affedb7ff2
Published At:03 Jul, 2026 | 21:16
Updated At:03 Jul, 2026 | 21:16

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-284Secondary88ee5874-cf24-4952-aea0-31affedb7ff2
CWE ID: CWE-284
Type: Secondary
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://blog.gitea.com/release-of-1.26.3-and-1.26.4/88ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/pull/3815188ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/releases/tag/v1.26.388ee5874-cf24-4952-aea0-31affedb7ff2
N/A
https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx488ee5874-cf24-4952-aea0-31affedb7ff2
N/A
Hyperlink: https://blog.gitea.com/release-of-1.26.3-and-1.26.4/
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/pull/38151
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/releases/tag/v1.26.3
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A
Hyperlink: https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
Source: 88ee5874-cf24-4952-aea0-31affedb7ff2
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

498Records found

CVE-2026-20706
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea repository archive downloads bypass token scope checks

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-27779
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea forwarded-proto handling allows public URL spoofing

Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-58422
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:54
Updated-03 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-20909
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea tracked-time list endpoint has insufficient permission checks

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-22555
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.1||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea organization forks can expose organization secrets without create permission

Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-24451
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea fork synchronization can expose private parent repository data

Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-24690
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea pull-request branch updates use insufficient permission checks

Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-25712
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea organization permission APIs expose private visibility information

Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-26247
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea OAuth2 PKCE S256 challenges are not enforced during token exchange

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-26292
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea LFS mirror synchronization bypasses migration HTTP transport restrictions

Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-27660
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea draft releases use insufficient permission checks

Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-28699
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-8.1||HIGH
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:19
Updated-03 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Basic Auth bypasses OAuth2 access token scopes

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-58421
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-03 Jul, 2026 | 20:54
Updated-03 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service

Action-Not Available
Vendor-Gitea
Product-Gitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-20904
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.54%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 22:01
Updated-29 Jan, 2026 | 22:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-20750
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-9.1||CRITICAL
EPSS-0.39% / 31.16%
||
7 Day CHG+0.04%
Published-22 Jan, 2026 | 22:01
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Organization Projects Cross-Organization Authorization Bypass via Project ID (IDOR)

Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-284
Improper Access Control
CVE-2026-20912
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-9.1||CRITICAL
EPSS-0.41% / 33.30%
||
7 Day CHG+0.05%
Published-22 Jan, 2026 | 22:01
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-283
Unverified Ownership
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-20736
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-7.5||HIGH
EPSS-0.36% / 27.85%
||
7 Day CHG+0.04%
Published-22 Jan, 2026 | 22:01
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Web Attachment Deletion: Cross-Repository Unauthorized Deletion via Missing Repo Ownership Check

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-284
Improper Access Control
CVE-2026-20888
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-4.3||MEDIUM
EPSS-0.30% / 22.05%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 22:01
Updated-29 Jan, 2026 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Pull Requests Auto-Merge: Read-Only Users Can Cancel Scheduled Auto-Merge via Web Endpoint (Authorization Bypass)

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-20897
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-9.1||CRITICAL
EPSS-0.41% / 33.30%
||
7 Day CHG+0.05%
Published-22 Jan, 2026 | 22:01
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)

Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.

Action-Not Available
Vendor-giteaGiteaRed Hat, Inc.
Product-giteaGitea Open Source Git ServerOpenShift Pipelines
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-20883
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 25.25%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 22:01
Updated-29 Jan, 2026 | 21:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Stopwatch API Missing Authorization Check Leads to Post-Revocation Information Disclosure

Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2026-0798
Matching Score-6
Assigner-Gitea Limited
ShareView Details
Matching Score-6
Assigner-Gitea Limited
CVSS Score-3.5||LOW
EPSS-0.24% / 14.66%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 22:01
Updated-29 Jan, 2026 | 21:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.

Action-Not Available
Vendor-giteaGitea
Product-giteaGitea Open Source Git Server
CWE ID-CWE-284
Improper Access Control
CVE-2025-43194
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.74% / 49.99%
||
7 Day CHG+0.04%
Published-29 Jul, 2025 | 23:35
Updated-02 Apr, 2026 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to modify protected parts of the file system.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2016-10144
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-9.8||CRITICAL
EPSS-4.93% / 91.08%
||
7 Day CHG~0.00%
Published-24 Mar, 2017 | 15:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

coders/ipl.c in ImageMagick allows remote attackers to have unspecific impact by leveraging a missing malloc check.

Action-Not Available
Vendor-n/aImageMagick Studio LLC
Product-imagemagickn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-43198
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 46.16%
||
7 Day CHG+0.04%
Published-29 Jul, 2025 | 23:35
Updated-02 Apr, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. An app may be able to access protected user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2025-43184
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.69% / 48.23%
||
7 Day CHG+0.05%
Published-29 Jul, 2025 | 23:28
Updated-02 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A shortcut may be able to bypass sensitive Shortcuts app settings.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2022-26346
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.6||CRITICAL
EPSS-1.04% / 59.89%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 21:18
Updated-15 Apr, 2025 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.

Action-Not Available
Vendor-TCL
Product-linkhub_mesh_wifi_ac1200LinkHub Mesh Wifi
CWE ID-CWE-284
Improper Access Control
CVE-2025-43192
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 46.17%
||
7 Day CHG+0.04%
Published-29 Jul, 2025 | 23:28
Updated-02 Apr, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. Account-driven User Enrollment may still be possible with Lockdown Mode turned on.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2025-4291
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 26.30%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 22:00
Updated-03 Oct, 2025 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IdeaCMS saveUpload unrestricted upload

A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-ideacmsn/a
Product-ideacmsIdeaCMS
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2025-43233
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 49.26%
||
7 Day CHG+0.05%
Published-29 Jul, 2025 | 23:54
Updated-02 Apr, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This issue was addressed with improved access restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A malicious app acting as a HTTPS proxy could get access to sensitive user data.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2026-56290
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-10||CRITICAL
EPSS-0.28% / 19.42%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 14:31
Updated-02 Jul, 2026 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Action-Not Available
Vendor-joomlackjoomlack.fr
Product-page_builder_ckJoomlaCK.fr Page Builder CK extension for Joomla
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-5569
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.45% / 35.86%
||
7 Day CHG~0.00%
Published-05 Apr, 2026 | 13:15
Updated-30 Apr, 2026 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Technostrobe HI-LED-WR120-G2 Endpoint access control

A vulnerability was found in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. Impacted is an unknown function of the file /Technostrobe/ of the component Endpoint. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been made public and could be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-technostrobeTechnostrobe
Product-hi-led-wr120-g2hi-led-wr120-g2_firmwareHI-LED-WR120-G2
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2026-5788
Matching Score-4
Assigner-Ivanti
ShareView Details
Matching Score-4
Assigner-Ivanti
CVSS Score-7||HIGH
EPSS-0.82% / 52.70%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 15:29
Updated-07 May, 2026 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEndpoint Manager Mobile
CWE ID-CWE-284
Improper Access Control
CVE-2026-5573
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.52% / 40.35%
||
7 Day CHG~0.00%
Published-05 Apr, 2026 | 14:30
Updated-30 Apr, 2026 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Technostrobe HI-LED-WR120-G2 fs unrestricted upload

A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-technostrobeTechnostrobe
Product-hi-led-wr120-g2hi-led-wr120-g2_firmwareHI-LED-WR120-G2
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2020-15181
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.42% / 69.64%
||
7 Day CHG~0.00%
Published-18 Sep, 2020 | 17:55
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Admin account takeover in Alfresco Reset Password

The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0

Action-Not Available
Vendor-alfrescoFlexSolution
Product-reset_passwordAlfrescoResetPassword
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-20
Improper Input Validation
CVE-2025-43232
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.73% / 49.64%
||
7 Day CHG+0.04%
Published-29 Jul, 2025 | 23:35
Updated-02 Apr, 2026 | 19:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to bypass certain Privacy preferences.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-284
Improper Access Control
CVE-2026-5526
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.36% / 28.20%
||
7 Day CHG~0.00%
Published-04 Apr, 2026 | 22:15
Updated-30 Apr, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda 4G03 Pro httpd access control

A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-4g03_pro_firmware4g03_pro4G03 Pro
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2025-4259
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.94%
||
7 Day CHG~0.00%
Published-05 May, 2025 | 02:00
Updated-10 Oct, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
newbee-mall UploadController.java upload unrestricted upload

A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

Action-Not Available
Vendor-newbee-mall_projectn/a
Product-newbee-mallnewbee-mall
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-48898
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.27% / 18.44%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:42
Updated-27 May, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260513] - Privilege escalation through com_users batch task

An improper access check allows privilege escalation through the com_users batch task.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2025-4036
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.72%
||
7 Day CHG+0.02%
Published-28 Apr, 2025 | 20:00
Updated-10 May, 2025 | 00:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
201206030 Novel Chapter AuthorController.java updateBookChapter access control

A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java of the component Chapter Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-xxyopen201206030
Product-novelNovel
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-284
Improper Access Control
CVE-2026-48899
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 14.25%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:44
Updated-27 May, 2026 | 09:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260515] - Incorrect Access Control in sample data plugins

An improper access check allows privilege escalation through the com_users batch task.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2022-26313
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-0.93% / 56.25%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 11:31
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbitrary user accounts.

Action-Not Available
Vendor-mendixSiemens AG
Product-forgot_passwordMendix Forgot Password Appstore module
CWE ID-CWE-284
Improper Access Control
CVE-2023-42769
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.79% / 51.67%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 16:15
Updated-16 Jan, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sielco Radio Link and Analog FM Transmitters Improper Access Control

The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.

Action-Not Available
Vendor-sielcoSielco
Product-analog_fm_transmitter_exc2000gxanalog_fm_transmitter_exc5000gtradio_link_exc19_firmwareanalog_fm_transmitter_exc1000gt_firmwareanalog_fm_transmitter_exc300gx_firmwareanalog_fm_transmitter_exc1600gx_firmwareanalog_fm_transmitter_exc100gtanalog_fm_transmitter_exc1000gx_firmwareanalog_fm_transmitter_exc300gt_firmwareanalog_fm_transmitter_exc5000gt_firmwareanalog_fm_transmitter_exc120gtanalog_fm_transmitter_exc120gx_firmwareanalog_fm_transmitter_exc5000gx_firmwareanalog_fm_transmitter_exc1600gxanalog_fm_transmitter_exc5000gxanalog_fm_transmitter_exc120gt_firmwareanalog_fm_transmitter_exc2000gx_firmwareradio_link_rtx19analog_fm_transmitter_exc3000gx_firmwareanalog_fm_transmitter_exc1000gxanalog_fm_transmitter_exc120gxanalog_fm_transmitter_exc300gtradio_link_exc19analog_fm_transmitter_exc100gt_firmwareanalog_fm_transmitter_exc3000gxradio_link_rtx19_firmwareanalog_fm_transmitter_exc300gxanalog_fm_transmitter_exc30gtanalog_fm_transmitter_exc30gt_firmwareanalog_fm_transmitter_exc1000gtRadio LinkAnalog FM transmitter
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-2578
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.58% / 43.34%
||
7 Day CHG~0.00%
Published-29 Jul, 2022 | 15:40
Updated-15 Apr, 2025 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Garage Management System createUser.php access control

A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-SourceCodestermayuri_k
Product-garage_management_systemGarage Management System
CWE ID-CWE-284
Improper Access Control
CVE-2026-48904
Matching Score-4
Assigner-Joomla! Project
ShareView Details
Matching Score-4
Assigner-Joomla! Project
CVSS Score-8.2||HIGH
EPSS-0.29% / 20.94%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:43
Updated-27 May, 2026 | 09:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Joomla! Core - [20260514] - Privilege escalation through com_users webservice endpoints

An improper access check allows privelege escalation through the com_users group editing webservice endpoint.

Action-Not Available
Vendor-Joomla!
Product-joomla\!Joomla! CMS
CWE ID-CWE-284
Improper Access Control
CVE-2026-48930
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-5.6||MEDIUM
EPSS-0.40% / 32.45%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 01:14
Updated-26 Jun, 2026 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsnode
CWE ID-CWE-284
Improper Access Control
CVE-2020-13675
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-1.22% / 64.91%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 15:45
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

Action-Not Available
Vendor-The Drupal Association
Product-drupalCore
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-46889
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.54%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-18 Jun, 2026 | 22:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-siebel_apps_-_marketingSiebel Apps - Marketing
CWE ID-CWE-284
Improper Access Control
CVE-2026-46878
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 38.13%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-18 Jun, 2026 | 22:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-jd_edwards_enterpriseone_toolsJD Edwards EnterpriseOne Tools
CWE ID-CWE-284
Improper Access Control
CVE-2026-46883
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.51%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-18 Jun, 2026 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-jd_edwards_enterpriseone_toolsJD Edwards EnterpriseOne Tools
CWE ID-CWE-284
Improper Access Control
CVE-2026-46904
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-0.47% / 37.51%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-18 Jun, 2026 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-jd_edwards_enterpriseone_toolsJD Edwards EnterpriseOne Tools
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-306
Missing Authentication for Critical Function
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 9
  • 10
  • Next
Details not found