Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,079)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-10425 11000projects 1Online Student Project Report Submission And Evaluation System Apr 29, 2026 Sep 15, 2025 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was identified in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The impacted element is an unknown function of the file /admin/controller/student_controller.php. Such ma...Show more A vulnerability was identified in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The impacted element is an unknown function of the file /admin/controller/student_controller.php. Such manipulation of the argument new_image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used.Show less
CVE-2025-10424 11000projects 1Online Student Project Report Submission And Evaluation System Apr 29, 2026 Sep 15, 2025 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was determined in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The affected element is an unknown function of the file /admin/controller/faculty_controller.php. This ma...Show more A vulnerability was determined in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The affected element is an unknown function of the file /admin/controller/faculty_controller.php. This manipulation of the argument new_image causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.Show less
CVE-2025-10398 1Fcba Zzm 1Smart Park Management System Apr 29, 2026 Sep 14, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrest...Show more A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited.Show less
CVE-2025-10371 - - Apr 29, 2026 Sep 13, 2025 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted up...Show more A security flaw has been discovered in eCharge Hardy Barth Salia PLCC up to 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-45584 1Audi 1Universal Traffic Recorder Firmware Oct 16, 2025 Sep 12, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.
CVE-2025-10321 1Wavlink 1Wl Wn578w2 Firmware Oct 2, 2025 Sep 12, 2025 5.5 MEDIUM· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The expl...Show more A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-45432 1Opensynergy 1Blue Sdk Oct 2, 2025 Sep 12, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from an incorrect variable used as a function argument. An attacke...Show more OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from an incorrect variable used as a function argument. An attacker can leverage this to cause unexpected behavior or obtain sensitive information.Show less
CVE-2025-27238 1Zabbix 1Zabbix Oct 8, 2025 Sep 12, 2025 2.1 LOW· v4 3.5 LOW· v3 N/A· v2 Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
CVE-2025-10247 - - Apr 29, 2026 Sep 11, 2025 2.1 LOW· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be...Show more A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-10201 1Google 1Chrome Sep 22, 2025 Sep 10, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Inappropriate implementation in Mojo in Google Chrome on Android, Linux, ChromeOS prior to 140.0.7339.127 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
CVE-2025-20159 - - Sep 11, 2025 Sep 10, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC f...Show more A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the SSH, NetConf, and gRPC features. This vulnerability exists because management interface ACLs have not been supported on Cisco IOS XR Software Packet I/O infrastructure platforms for Linux-handled features such as SSH, NetConf, or gRPC. An attacker could exploit this vulnerability by attempting to send traffic to an affected device. A successful exploit could allow the attacker to bypass an ingress ACL that is applied on the management interface of the affected device.Show less
CVE-2025-56406 - - Sep 16, 2025 Sep 10, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for M...Show more An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed).Show less
CVE-2025-56405 1Litmus 1Mcp Server Sep 17, 2025 Sep 10, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in litmusautomation litmus-mcp-server thru 0.0.1 allowing unauthorized attackers to control the target's MCP service through the SSE protocol.
CVE-2025-54116 1Microsoft 13Windows 10 1507 Windows 10 1607Windows 10 1809+10 more Oct 2, 2025 Sep 9, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally.
CVE-2025-54098 1Microsoft 15Windows 10 1507 Windows 10 1607Windows 10 1809+12 more Oct 2, 2025 Sep 9, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2025-49692 1Microsoft 1Azure Connected Machine Agent Oct 1, 2025 Sep 9, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2025-10116 - - Apr 29, 2026 Sep 9, 2025 5.5 MEDIUM· v4 7.3 HIGH· v3 7.5 HIGH· v2 A vulnerability was identified in SiempreCMS up to 1.3.6. This vulnerability affects unknown code of the file /docs/admin/file_upload.php. Such manipulation leads to unrestricted upload. The attack may be launched remote...Show more A vulnerability was identified in SiempreCMS up to 1.3.6. This vulnerability affects unknown code of the file /docs/admin/file_upload.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used.Show less
CVE-2025-58752 1Vitejs 1Vite Sep 17, 2025 Sep 8, 2025 2.3 LOW· v4 5.3 MEDIUM· v3 N/A· v2 Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose t...Show more Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.Show less
CVE-2025-58751 1Vitejs 1Vite Sep 17, 2025 Sep 8, 2025 2.3 LOW· v4 5.3 MEDIUM· v3 N/A· v2 Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only app...Show more Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.Show less
CVE-2025-10093 1Dlink 1Dir 852 Firmware Sep 29, 2025 Sep 8, 2025 5.5 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads...Show more A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.Show less

Previous 1...616263...254 Next