CWE-284 · Improper Access Control

5325 CVEs classified under CWE-284 (Improper Access Control). Browse by severity and year.

Top CVEs for CWE-284
CVESeverityScorePublishedSummary
CVE-2026-46978Critical10.02026-06-17Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The supported version that is affected is 11.4. Easi…
CVE-2026-35308Critical10.02026-06-17Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are…
CVE-2026-35307Critical10.02026-06-17Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0…
CVE-2026-46695Critical10.02026-06-10Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prio…
CVE-2026-46840Critical10.02026-05-28Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulne…
CVE-2026-34908Critical10.02026-05-22A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to t…
CVE-2026-34234Critical10.02026-05-19CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerabl…
CVE-2026-34444Critical10.02026-04-06Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed thro…
CVE-2026-33478Critical10.02026-03-23WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to all…
CVE-2026-32737Critical10.02026-03-18Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub…
CVE-2026-30966Critical10.02026-03-10Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's inter…
CVE-2026-2768Critical10.02026-02-24Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
CVE-2026-21962Critical10.02026-01-20Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for…
CVE-2026-21636Critical10.02026-01-20A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `-…
CVE-2026-0881Critical10.02026-01-13Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
CVE-2025-54339Critical10.02025-11-14An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for E…
CVE-2025-29270Critical10.02025-10-31Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin pan…
CVE-2025-54914Critical10.02025-09-04Azure Networking Elevation of Privilege Vulnerability
CVE-2025-26615Critical10.02025-02-18WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA appl…
CVE-2024-22216Critical10.02024-01-08In default installations of Microchip maxView Storage Manager (for Adaptec Smart Storage Controllers) where Redfish server is configured for remote system mana…