| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. |
| Improper access control in Windows Resilient File System (ReFS) allows an authorized attacker to disclose information over a network. |
| Improper access control in Windows Defender Application Control (WDAC) allows an unauthorized attacker to bypass a security feature locally. |
| Improper access control in Windows NTFS allows an authorized attacker to disclose file path information under a folder where the attacker doesn't have permission to list content. |
| Improper access control in Microsoft Office allows an authorized attacker to elevate privileges locally. |
| Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. |
| Improper access control in Azure allows an unauthorized attacker to disclose information over a network. |
| Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
| Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. |
| Improper access control in Azure Virtual Machines allows an authorized attacker to perform spoofing locally. |
| Improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. |
| Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network. |
| Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. |
| Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. |
| A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions. |
| Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. |
| A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. |
| The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration. |
