Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-50891

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-15 Jun, 2026 | 00:00
Updated At-16 Jun, 2026 | 18:06
Rejected At-
Credits

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:15 Jun, 2026 | 00:00
Updated At:16 Jun, 2026 | 18:06
Rejected At:
â–¼CVE Numbering Authority (CNA)

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
N/A
Hyperlink: https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
exploit
Hyperlink: https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
Resource:
exploit
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:15 Jun, 2026 | 20:16
Updated At:16 Jun, 2026 | 19:17

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-284Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-284
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0cve@mitre.org
N/A
https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://gist.github.com/pyuysig/50dc365f54f95396bb67532f02b34bb0
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

90Records found

CVE-2024-45170
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.65% / 46.52%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 00:00
Updated-04 Sep, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper or missing access control, low privileged users can use administrative functions of the C-MOR web interface. It was found out that different functions are only available to administrative users. However, access those functions is restricted via the web application user interface and not checked on the server side. Thus, by sending corresponding HTTP requests to the web server of the C-MOR web interface, low privileged users can also use administrative functionality, for instance downloading backup files or changing configuration settings.

Action-Not Available
Vendor-c-morn/aza-internet
Product-c-mor_video_surveillancen/ac-mor_video_surveillance
CWE ID-CWE-284
Improper Access Control
CVE-2020-8121
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-8.1||HIGH
EPSS-1.04% / 59.70%
||
7 Day CHG~0.00%
Published-04 Feb, 2020 | 19:08
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.

Action-Not Available
Vendor-n/aNextcloud GmbH
Product-nextcloud_serverNextcloud Server
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2020-7578
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.1||HIGH
EPSS-1.06% / 60.27%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 13:18
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Authenticated users could have access to resources they normally would not have. This vulnerability could allow an attacker to view internal information and perform unauthorized changes.

Action-Not Available
Vendor-Siemens AG
Product-opcenter_execution_coreCamstar Enterprise PlatformOpcenter Execution Core
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-269
Improper Privilege Management
CVE-2024-37882
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.54% / 41.33%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 15:28
Updated-02 Aug, 2024 | 03:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nextcloud Server can reshare read&share only folder with more permissions

Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-281
Improper Preservation of Permissions
CVE-2024-44313
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.64% / 46.22%
||
7 Day CHG~0.00%
Published-18 Mar, 2025 | 00:00
Updated-02 Apr, 2025 | 12:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users to access and generate invoices due to missing permission checks.

Action-Not Available
Vendor-tastyignitern/a
Product-tastyignitern/a
CWE ID-CWE-284
Improper Access Control
CVE-2024-42480
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.62% / 45.43%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 15:21
Updated-16 Aug, 2024 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kamaji's RBAC Roles for `etcd` are not disjunct

Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed in edge-24.8.2.

Action-Not Available
Vendor-clastixclastixclastix
Product-kamajikamajikamaji
CWE ID-CWE-284
Improper Access Control
CVE-2025-2280
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-8.1||HIGH
EPSS-0.47% / 37.28%
||
7 Day CHG~0.00%
Published-13 Mar, 2025 | 13:02
Updated-28 Mar, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-284
Improper Access Control
CVE-2019-11780
Matching Score-4
Assigner-Odoo
ShareView Details
Matching Score-4
Assigner-Odoo
CVSS Score-8.1||HIGH
EPSS-2.06% / 79.03%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 15:50
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.

Action-Not Available
Vendor-odooOdoo
Product-odooOdoo CommunityOdoo Enterprise
CWE ID-CWE-284
Improper Access Control
CVE-2023-35939
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.48% / 37.75%
||
7 Day CHG~0.00%
Published-05 Jul, 2023 | 20:42
Updated-18 Oct, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI vulnerable to unauthorized access to Dashboard data

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpiglpi
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-284
Improper Access Control
CVE-2023-2946
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.3||MEDIUM
EPSS-0.49% / 38.52%
||
7 Day CHG~0.00%
Published-27 May, 2023 | 00:00
Updated-14 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in openemr/openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-284
Improper Access Control
CVE-2023-29051
Matching Score-4
Assigner-Open-Xchange
ShareView Details
Matching Score-4
Assigner-Open-Xchange
CVSS Score-8.1||HIGH
EPSS-0.55% / 41.76%
||
7 Day CHG~0.00%
Published-08 Jan, 2024 | 09:04
Updated-04 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. No publicly available exploits are known.

Action-Not Available
Vendor-Open-Xchange AG
Product-ox_app_suiteOX App Suite
CWE ID-CWE-284
Improper Access Control
CVE-2026-21694
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.24% / 15.50%
||
7 Day CHG~0.00%
Published-07 Jan, 2026 | 23:10
Updated-12 Jan, 2026 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Titra APIs have Improper Access Control

Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.

Action-Not Available
Vendor-kromitkromitgmbh
Product-titratitra
CWE ID-CWE-284
Improper Access Control
CVE-2022-47634
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.47% / 37.55%
||
7 Day CHG~0.00%
Published-01 Jan, 2023 | 00:00
Updated-10 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

M-Link Archive Server in Isode M-Link R16.2v1 through R17.0 before R17.0v24 allows non-administrative users to access and manipulate archive data via certain HTTP endpoints, aka LINK-2867.

Action-Not Available
Vendor-isoden/a
Product-m-linkn/a
CWE ID-CWE-284
Improper Access Control
CVE-2022-4567
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-0.61% / 44.69%
||
7 Day CHG~0.00%
Published-17 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in openemr/openemr

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

Action-Not Available
Vendor-OpenEMR Foundation, Inc
Product-openemropenemr/openemr
CWE ID-CWE-284
Improper Access Control
CVE-2022-45936
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.1||HIGH
EPSS-0.70% / 48.82%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 00:00
Updated-22 Apr, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Email Connector (All versions < V2.0.0). Affected versions of the module improperly handle access control for some module entities. This could allow authenticated remote attackers to read and manipulate sensitive information.

Action-Not Available
Vendor-Siemens AG
Product-mendix_email_connectorMendix Email Connector
CWE ID-CWE-284
Improper Access Control
CVE-2022-46664
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.1||HIGH
EPSS-0.69% / 48.28%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 00:00
Updated-21 Apr, 2025 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Workflow Commons (All versions < V2.4.0), Mendix Workflow Commons V2.1 (All versions < V2.1.4), Mendix Workflow Commons V2.3 (All versions < V2.3.2). Affected versions of the module improperly handle access control for some module entities. This could allow authenticated remote attackers to read or delete sensitive information.

Action-Not Available
Vendor-Siemens AG
Product-mendix_workflow_commonsMendix Workflow CommonsMendix Workflow Commons V2.3Mendix Workflow Commons V2.1
CWE ID-CWE-284
Improper Access Control
CVE-2022-24841
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.79% / 51.78%
||
7 Day CHG~0.00%
Published-18 Apr, 2022 | 21:20
Updated-23 Apr, 2025 | 18:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authorization in github.com/fleetdm/fleet

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.

Action-Not Available
Vendor-fleetdmfleetdm
Product-fleetfleet
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-45111
Matching Score-4
Assigner-Odoo
ShareView Details
Matching Score-4
Assigner-Odoo
CVSS Score-7.1||HIGH
EPSS-0.84% / 53.45%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 18:33
Updated-04 Aug, 2024 | 04:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.

Action-Not Available
Vendor-odooOdoo
Product-odooOdoo CommunityOdoo Enterprise
CWE ID-CWE-284
Improper Access Control
CVE-2021-35221
Matching Score-4
Assigner-SolarWinds
ShareView Details
Matching Score-4
Assigner-SolarWinds
CVSS Score-6.3||MEDIUM
EPSS-2.04% / 78.81%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 12:13
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ImportAlert Improper Access Control Tampering Vulnerability

Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.Microsoft Corporation
Product-windowsorion_platformOrion Platform
CWE ID-CWE-284
Improper Access Control
CVE-2025-70997
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.19% / 8.43%
||
7 Day CHG~0.00%
Published-04 Feb, 2026 | 00:00
Updated-12 Feb, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.

Action-Not Available
Vendor-eladminn/a
Product-eladminn/a
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-70614
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.26% / 17.47%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 00:00
Updated-06 May, 2026 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter.

Action-Not Available
Vendor-opencoden/a
Product-ussd_gatewayn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-67796
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.24% / 15.55%
||
7 Day CHG~0.00%
Published-04 May, 2026 | 00:00
Updated-07 May, 2026 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-65594
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.26% / 17.51%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 00:00
Updated-11 Dec, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.

Action-Not Available
Vendor-os4edn/a
Product-opensisn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-62510
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.28% / 19.70%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 17:39
Updated-04 Dec, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FileRise insecure folder visibility via name-based mapping and incomplete ACL checks

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, write, share, rename, copy/move, zip, and WebDAV paths.

Action-Not Available
Vendor-fileriseerror311
Product-fileriseFileRise
CWE ID-CWE-280
Improper Handling of Insufficient Permissions or Privileges
CWE ID-CWE-284
Improper Access Control
CVE-2025-62509
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.28% / 19.70%
||
7 Day CHG~0.00%
Published-20 Oct, 2025 | 17:38
Updated-04 Dec, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FileRise improper ownership/permission validation allowed cross-tenant file operations

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move.

Action-Not Available
Vendor-fileriseerror311
Product-fileriseFileRise
CWE ID-CWE-280
Improper Handling of Insufficient Permissions or Privileges
CWE ID-CWE-284
Improper Access Control
CVE-2025-61763
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.1||HIGH
EPSS-0.25% / 15.74%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 20:03
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in Oracle Essbase (component: Essbase Web Platform). The supported version that is affected is 21.7.3.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Essbase. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Essbase accessible data as well as unauthorized access to critical data or complete access to all Oracle Essbase accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-essbaseOracle Essbase
CWE ID-CWE-284
Improper Access Control
CVE-2021-24197
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.1||HIGH
EPSS-1.24% / 65.44%
||
7 Day CHG~0.00%
Published-12 Apr, 2021 | 13:58
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.

Action-Not Available
Vendor-tms-outsourcewpDataTables
Product-wpdatatableswpDataTables – Tables & Table Charts
CWE ID-CWE-284
Improper Access Control
CVE-2025-56274
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.41% / 33.35%
||
7 Day CHG~0.00%
Published-15 Sep, 2025 | 00:00
Updated-09 Apr, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SourceCodester Web-based Pharmacy Product Management System 1.0 is vulnerable to Incorrect Access Control, which allows low-privileged users to forge high privileged (such as admin) sessions and perform sensitive operations such as adding new users.

Action-Not Available
Vendor-n/aSenior Walter
Product-web-based_pharmacy_product_management_systemn/a
CWE ID-CWE-284
Improper Access Control
CVE-2024-35433
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.46% / 36.73%
||
7 Day CHG~0.00%
Published-30 May, 2024 | 17:10
Updated-17 Jun, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.

Action-Not Available
Vendor-n/aZKTeco Co., Ltd.
Product-zkbio_cvsecurityn/azkbio_cvsecurity
CWE ID-CWE-284
Improper Access Control
CVE-2025-50060
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.1||HIGH
EPSS-0.26% / 17.16%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle BI Publisher accessible data as well as unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-Oracle BI Publisher
CWE ID-CWE-284
Improper Access Control
CVE-2025-50105
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.1||HIGH
EPSS-0.34% / 26.18%
||
7 Day CHG~0.00%
Published-15 Jul, 2025 | 19:27
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Universal Work Queue accessible data as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-Oracle Universal Work Queue
CWE ID-CWE-284
Improper Access Control
CVE-2025-68721
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.31% / 22.84%
||
7 Day CHG~0.00%
Published-05 Feb, 2026 | 00:00
Updated-13 Feb, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section.

Action-Not Available
Vendor-axigenn/a
Product-axigen_mail_servern/a
CWE ID-CWE-284
Improper Access Control
CVE-2024-2505
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-8.1||HIGH
EPSS-0.64% / 45.97%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 06:00
Updated-08 May, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GamiPress < 6.8.9 - Broken Access Control

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations.

Action-Not Available
Vendor-gamipressUnknowngamipress
Product-gamipressGamiPress gamipress
CWE ID-CWE-284
Improper Access Control
CVE-2024-21153
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-8.1||HIGH
EPSS-0.39% / 30.79%
||
7 Day CHG~0.00%
Published-16 Jul, 2024 | 22:40
Updated-17 Jun, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Process Manufacturing Product Development accessible data as well as unauthorized access to critical data or complete access to all Oracle Process Manufacturing Product Development accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-process_manufacturing_product_developmentProcess Manufacturing Product Developmentprocess_manufacturing_product_development
CWE ID-CWE-284
Improper Access Control
CVE-2024-12368
Matching Score-4
Assigner-Odoo
ShareView Details
Matching Score-4
Assigner-Odoo
CVSS Score-8.1||HIGH
EPSS-0.64% / 46.20%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 18:10
Updated-25 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0 allows an internal user to export the OAuth tokens of other users.

Action-Not Available
Vendor-Odoo
Product-Odoo CommunityOdoo Enterprise
CWE ID-CWE-284
Improper Access Control
CVE-2024-0212
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-8.1||HIGH
EPSS-0.85% / 53.59%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 09:13
Updated-06 Jun, 2025 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cloudflare WordPress plugin enables information disclosure of Cloudflare API (for low privileged users)

The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.

Action-Not Available
Vendor-Cloudflare, Inc.
Product-cloudflareCloudflare-WordPress
CWE ID-CWE-284
Improper Access Control
CVE-2023-6968
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.20% / 9.59%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 02:02
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Moneytizer <= 9.6.3 - Cross-Site Request Forgery via multiple AJAX actions

The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.3. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-themoneytizerlvaudore
Product-the_moneytizerThe Moneytizer
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-6966
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.39% / 31.37%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 02:02
Updated-08 Apr, 2026 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Moneytizer <= 9.6.3 - Missing Authorization via multiple AJAX actions

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.

Action-Not Available
Vendor-themoneytizerlvaudore
Product-the_moneytizerThe Moneytizer
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2023-46663
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.44% / 35.43%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 20:02
Updated-16 Jan, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control in Sielco PolyEco1000

Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.

Action-Not Available
Vendor-sielcoSielco
Product-polyeco500polyeco1000polyeco300_firmwarepolyeco300polyeco1000_firmwarepolyeco500_firmwarePolyEco1000
CWE ID-CWE-284
Improper Access Control
CVE-2023-39349
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.85% / 53.62%
||
7 Day CHG~0.00%
Published-07 Aug, 2023 | 18:27
Updated-04 Oct, 2024 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sentry vulnerable to privilege escalation via ApiTokensEndpoint

Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version 23.7.2, an attacker with access to a token with few or no scopes can query `/api/0/api-tokens/` for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on `sentry.io`. For self-hosted users, it is advised to rotate user auth tokens. A fix is available in version 23.7.2 of `sentry` and `self-hosted`. There are no known workarounds.

Action-Not Available
Vendor-sentrygetsentrygetsentry
Product-sentrysentrysentry
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • Next
Details not found