Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVEs (5,077)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-14660 - - Apr 29, 2026 Dec 14, 2025 2.9 LOW· v4 5.6 MEDIUM· v3 5.1 MEDIUM· v2 A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipula...Show more A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component.Show less
CVE-2025-14642 1Carmelo 1Computer Laboratory System Apr 29, 2026 Dec 14, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. T...Show more A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-14641 1Carmelo 1Computer Laboratory System Apr 29, 2026 Dec 14, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The a...Show more A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used.Show less
CVE-2025-14583 1Campcodes 1Online Student Enrollment System Apr 29, 2026 Dec 12, 2025 5.5 MEDIUM· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. T...Show more A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing a manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.Show less
CVE-2025-14582 1Campcodes 1Online Student Enrollment System Apr 29, 2026 Dec 12, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing a manipulation of the argument userphoto results...Show more A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing a manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.Show less
CVE-2025-43518 1Apple 1Macos Apr 2, 2026 Dec 12, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 A logic issue was addressed with improved checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, watchOS 26.2. An app may be able to inappropriately access f...Show more A logic issue was addressed with improved checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, watchOS 26.2. An app may be able to inappropriately access files through the spellcheck API.Show less
CVE-2025-43513 1Apple 1Macos Apr 2, 2026 Dec 12, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to read sensitive location information.
CVE-2025-43416 1Apple 1Macos Apr 2, 2026 Dec 12, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data.
CVE-2025-43404 1Apple 1Macos Dec 15, 2025 Dec 12, 2025 N/A· v4 3.3 LOW· v3 N/A· v2 A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data.
CVE-2025-43393 1Apple 1Macos Dec 15, 2025 Dec 12, 2025 N/A· v4 5.2 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox.
CVE-2025-43351 1Apple 1Macos Dec 15, 2025 Dec 12, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.
CVE-2025-66430 1Plesk 1Plesk Jan 6, 2026 Dec 12, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Plesk 18.0 has Incorrect Access Control.
CVE-2025-64669 1Microsoft 1Windows Admin Center Dec 12, 2025 Dec 11, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.
CVE-2025-14530 1Remyandrade 1Real Estate Property Listing App Apr 29, 2026 Dec 11, 2025 2.0 LOW· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestr...Show more A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-14528 1Dlink 1Dir 803 Firmware Dec 15, 2025 Dec 11, 2025 5.5 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in info...Show more A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-14522 1Baowzh 1Hfly Apr 29, 2026 Dec 11, 2025 2.1 LOW· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the a...Show more A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-67510 1Neuron Ai 1Neuron Mar 6, 2026 Dec 10, 2025 N/A· v4 9.4 CRITICAL· v3 N/A· v2 Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restric...Show more Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.Show less
CVE-2025-24857 1Denx 1U Boot Jan 21, 2026 Dec 10, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attack...Show more Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code.Show less
CVE-2025-14082 - - Apr 2, 2026 Dec 10, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm...Show more A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.Show less
CVE-2025-64897 1Adobe 1Coldfusion Dec 12, 2025 Dec 10, 2025 N/A· v4 5.6 MEDIUM· v3 N/A· v2 ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited...Show more ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial of service. Exploitation of this issue requires user interaction.Show less

Previous 1...424344...254 Next