CVE-2024-46310
Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via expose
CVSS
9.1
Crítico
EPSS
2.4%
p82
KEV
—
Exploit Today
25
0-100
Publicado: 13 ene 2025 · Última mod.: 5 jul 2026 · CWE-281
2.4%EPSS · 30 días2.4%
2026-06-302026-07-16
Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-551309.1 CRÍ73.6%
——22A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.2dCVE-2022-385778.8 ALT70.4%
——21ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.8dCVE-2024-548799.1 CRÍ55.9%
——17SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.12dCVE-2023-346728.8 ALT50.2%
——15Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases.8dCVE-2026-398329.1 CRÍ41.0%
——12When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.16hCVE-2026-353857.5 ALT34.0%
——10In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).2d