Improper Access Control

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experime

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. Thi

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to cause unexpected system termination.

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authent

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-pri

Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally.

BoxLite: Permission Bypass Allows Modification of Read-Only Files

Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

Capgo Console prior to 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is link

A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. Impacted is an unknown function in the library saappctl.sys of the component IOCTL Handler. The manipulation leads to information disclosure. Local access is r

Adobe ColdFusion Improper Access Control Vulnerability

Microsoft Power Pages Improper Access Control Vulnerability

Apache Tomcat Remote Code Execution Vulnerability

Citrix ShareFile Improper Access Control Vulnerability

Joomla! Improper Access Control Vulnerability

Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability

Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability

McAfee Total Protection (MTP) Improper Privilege Management Vulnerability

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

PaperCut MF/NG Improper Access Control Vulnerability

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Vite Vitejs Improper Access Control Vulnerability

Microsoft Windows Open Type Font Remote Code Execution Vulnerability

Elasticsearch Remote Code Execution Vulnerability

ImageMagick Arbitrary File Deletion Vulnerability

Gladinet Triofox Improper Access Control Vulnerability

Synacor Zimbra Collaboration Suite (ZCS) Command Execution Vulnerability

GitLab Community and Enterprise Editions Improper Access Control Vulnerability

Fortinet FortiClient EMS Improper Access Control Vulnerability

Microsoft Windows Improper Access Control Vulnerability

Adobe ColdFusion Improper Access Control Vulnerability

Apache HugeGraph-Server Improper Access Control Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability

SonicWall SonicOS Improper Access Control Vulnerability

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability

Zabbix Frontend Improper Access Control Vulnerability

QNAP Helpdesk Improper Access Control Vulnerability

Apache Shiro Code Execution Vulnerability

Adobe ColdFusion Improper Access Control Vulnerability

Citrix Content Collaboration ShareFile Improper Access Control Vulnerability

Microsoft Windows SMB Client Improper Access Control Vulnerability

Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4.

Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.

Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4.

Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in pr

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When al

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to access sensitive user data.

An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data.

Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.