Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-58372 1Roocode 1Roo Code Sep 15, 2025 Sep 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected i...Show more Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0.Show less
CVE-2025-10059 1Mongodb 1Mongodb Sep 22, 2025 Sep 5, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Serv...Show more An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.Show less
CVE-2025-23258 - - Sep 5, 2025 Sep 4, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to es...Show more NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.Show less
CVE-2025-23257 - - Sep 5, 2025 Sep 4, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of p...Show more NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.Show less
CVE-2025-36193 1Ibm 1Transformation Advisor Sep 29, 2025 Sep 3, 2025 N/A· v4 6.7 MEDIUM· v3 N/A· v2 IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalo...Show more IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image.Show less
CVE-2025-43268 1Apple 1Macos Nov 3, 2025 Aug 29, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A malicious app may be able to gain root privileges.
CVE-2025-9578 - - Aug 29, 2025 Aug 28, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734.
CVE-2025-53396 - - Aug 29, 2025 Aug 28, 2025 7.3 HIGH· v4 7.0 HIGH· v3 N/A· v2 Incorrect permission assignment for critical resource issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier), which may allow users who can log in to a client terminal to obtain root privileges...Show more Incorrect permission assignment for critical resource issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier), which may allow users who can log in to a client terminal to obtain root privileges.Show less
CVE-2025-43729 1Dell 1Thinos Jan 15, 2026 Aug 27, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell ThinOS 10, versions prior to 2508_10.0127, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A local low-privileged attacker could potentially exploit this vulnerability leading to Ele...Show more Dell ThinOS 10, versions prior to 2508_10.0127, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A local low-privileged attacker could potentially exploit this vulnerability leading to Elevation of Privileges and Unauthorized Access.Show less
CVE-2025-30063 - - Aug 29, 2025 Aug 27, 2025 9.4 CRITICAL· v4 N/A· v3 N/A· v2 The configuration file containing database logins and passwords is readable by any local user.
CVE-2025-0093 1Google 1Android Sep 2, 2025 Aug 26, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 In handleBondStateChanged of AdapterService.java, there is a possible unapproved data access due to a missing permission check. This could lead to remote information disclosure with no additional execution privileges nee...Show more In handleBondStateChanged of AdapterService.java, there is a possible unapproved data access due to a missing permission check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Show less
CVE-2025-4609 1Google 1Chrome Aug 25, 2025 Aug 22, 2025 N/A· v4 9.6 CRITICAL· v3 N/A· v2 Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium securit...Show more Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)Show less
CVE-2025-43759 1Liferay 2Digital Experience Platform Liferay Portal Dec 16, 2025 Aug 22, 2025 6.7 MEDIUM· v4 2.7 LOW· v3 N/A· v2 Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows...Show more Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.Show less
CVE-2025-52094 1Pdq 1Smart Deploy Jan 27, 2026 Aug 22, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure Permissions vulnerability in PDQ Smart Deploy V.3.0.2040 allows a local attacker to execute arbtirary code via the \HKLM\SYSTEM\Setup\SmartDeploy component
CVE-2025-38742 1Dell 1Emc Idrac Service Module Sep 10, 2025 Aug 21, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vuln...Show more Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.Show less
CVE-2025-55524 1Agent Zero 1Agent Zero Jan 8, 2026 Aug 21, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Insecure permissions in Agent-Zero v0.8.* allow attackers to arbitrarily reset the system via unspecified vectors.
CVE-2025-27216 - - Aug 22, 2025 Aug 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple Incorrect Permission Assignment for Critical Resource in UISP Application may allow a malicious actor with certain permissions to escalate privileges.
CVE-2025-1139 1Ibm 1Edge Application Manager Sep 3, 2025 Aug 20, 2025 N/A· v4 4.4 MEDIUM· v3 N/A· v2 IBM Edge Application Manager 4.5 could allow a local user to read or modify resources that they should not have authorization to access due to incorrect permission assignment.
CVE-2025-8042 1Mozilla 1Firefox Apr 13, 2026 Aug 19, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
CVE-2025-5819 1Gitlab 1Gitlab Aug 29, 2025 Aug 13, 2025 N/A· v4 5.0 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID token...Show more An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances.Show less

Previous 1...91011...84 Next