Total
1461 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0632 | 1 Adobe | 1 Coldfusion | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
|
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
|
|||||
| CVE-2025-36632 | 2 Microsoft, Tenable | 2 Windows, Nessus Agent | 2025-10-21 | N/A | 7.8 HIGH |
|
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege.
|
|||||
| CVE-2025-62668 | 2025-10-21 | N/A | N/A | ||
|
Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
|
|||||
| CVE-2025-43887 | 1 Dell | 1 Powerprotect Data Manager | 2025-10-20 | N/A | 7.0 HIGH |
|
Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) an Incorrect Default Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
|
|||||
| CVE-2025-54086 | 1 Absolute | 1 Secure Access | 2025-10-16 | N/A | 3.3 LOW |
|
CVE-2025-54086 is an excess permissions vulnerability in the
Warehouse component of Absolute Secure Access prior to version 14.10. Attackers
with access to the local file system can read the Java keystore file. The
attack complexity is low, there are no attack requirements, the privileges
required are low and no user interaction is required. Impact to confidentiality
is low, there is no impact to integrity or availability.
|
|||||
| CVE-2025-46014 | 1 Honor | 1 Pc Manager | 2025-10-15 | N/A | 8.8 HIGH |
|
Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 was discovered to connect services to the named pipe iMateBookAssistant with default or overly permissive security attributes, leading to a privilege escalation.
|
|||||
| CVE-2025-29504 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | N/A | 7.8 HIGH |
|
Insecure Permission vulnerability in student-manage 1 allows a local attacker to escalate privileges via the Unsafe permission verification.
|
|||||
| CVE-2024-0245 | 2025-10-15 | N/A | 5.5 MEDIUM | ||
|
A misconfiguration in the AndroidManifest.xml file in hamza417/inure before build97 allows for task hijacking. This vulnerability permits malicious applications to inherit permissions of the vulnerable app, potentially leading to the exposure of sensitive information. An attacker can create a malicious app that hijacks the legitimate Inure app, intercepting and stealing sensitive information when installed on the victim's device. This issue affects all Android versions before Android 11.
|
|||||
| CVE-2025-8069 | 2025-10-14 | N/A | 7.8 HIGH | ||
|
During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices.
We recommend users discon ...
Show More |
|||||
| CVE-2025-0797 | 1 Escanav | 1 Escan Anti-virus | 2025-10-09 | 1.7 LOW | 3.3 LOW |
|
A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been declared as problematic. This vulnerability affects unknown code of the file /var/Microworld/ of the component Quarantine Handler. The manipulation leads to incorrect default permissions. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-13188 | 1 Escanav | 1 Escan Anti-virus | 2025-10-09 | 4.3 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been rated as critical. Affected by this issue is some unknown functionality of the file /opt/MicroWorld/var/ of the component Installation Handler. The manipulation leads to incorrect default permissions. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-11535 | 2025-10-09 | N/A | N/A | ||
|
MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.
|
|||||
| CVE-2024-52551 | 1 Jenkins | 1 Pipeline\ | 2025-10-08 | N/A | 8.0 HIGH |
|
Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved.
|
|||||
| CVE-2024-54745 | 1 Wavlink | 2 Wn701ae, Wn701ae Firmware | 2025-10-03 | N/A | 9.8 CRITICAL |
|
WAVLINK WN701AE M01AE_V240305 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
|
|||||
| CVE-2024-54747 | 1 Wavlink | 2 Wn531p3, Wn531p3 Firmware | 2025-10-03 | N/A | 9.8 CRITICAL |
|
WAVLINK WN531P3 202383 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
|
|||||
| CVE-2025-34191 | 3 Apple, Linux, Vasion | 4 Macos, Linux Kernel, Virtual Appliance Application and 1 more | 2025-10-02 | N/A | 8.4 HIGH |
|
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (macOS/Linux client deployments) contain an arbitrary file write vulnerability via the response file handling. When tasks produce output the service writes response data into files under /opt/PrinterInstallerClient/tmp/responses/ reusing the requested filename. The service follows symbolic links in the responses directory and writes as the service user (typically root), allow ...
Show More |
|||||
| CVE-2025-23297 | 2025-10-02 | N/A | 7.8 HIGH | ||
|
NVIDIA Installer for NvAPP for Windows contains a vulnerability in the FrameviewSDK installation process, where an attacker with local unprivileged access could modify files in the Frameview SDK directory. A successful exploit of this vulnerability might lead to escalation of privileges.
|
|||||
| CVE-2024-55398 | 1 4cstrategies | 1 Exonaut | 2025-10-01 | N/A | 6.5 MEDIUM |
|
4C Strategies Exonaut before v22.4 was discovered to contain insecure permissions.
|
|||||
| CVE-2024-46465 | 2 Microsoft, Primx | 2 Windows, Cryhod | 2025-10-01 | N/A | 7.8 HIGH |
|
By default, dedicated folders of CRYHOD for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration of CRYHOD has to be modified to prevent this vulnerability.
|
|||||
| CVE-2024-48533 | 1 Esoftplanner | 1 Esoft Planner | 2025-10-01 | N/A | 5.3 MEDIUM |
|
A discrepancy between responses for valid and invalid e-mail accounts in the Forgot your Login? module of eSoft Planner 3.24.08271-USA allows attackers to enumerate valid user e-mail accounts.
|
|||||
| CVE-2024-40514 | 1 Themesbrand | 1 Chatvia | 2025-09-30 | N/A | 4.6 MEDIUM |
|
Insecure Permissions vulnerability in themesebrand Chatvia v.5.3.2 allows a remote attacker to escalate privileges via the User profile name and image upload functions.
|
|||||
| CVE-2025-55111 | 2 Bmc, Linux | 2 Control-m\/agent, Linux Kernel | 2025-09-29 | N/A | 5.5 MEDIUM |
|
Certain files with overly permissive permissions were identified in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions as well as in newer versions which were upgraded from an affected version. These files contain keys and passwords relating to SSL files, keystore and policies. An attacker with local access to the system running the Agent can access these files.
|
|||||
| CVE-2024-58046 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.2 MEDIUM |
|
Permission management vulnerability in the lock screen module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2025-46586 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 5.1 MEDIUM |
|
Permission control vulnerability in the contacts module
Impact: Successful exploitation of this vulnerability may affect availability.
|
|||||
| CVE-2025-27521 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.8 MEDIUM |
|
Vulnerability of improper access permission in the process management module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-58050 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.2 MEDIUM |
|
Vulnerability of improper access permission in the HDC module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2023-4664 | 1 Adobe | 1 Connect | 2025-09-24 | N/A | 8.8 HIGH |
|
Incorrect Default Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9.
|
|||||
| CVE-2025-43595 | 2 Linux, Msp360 | 2 Linux Kernel, Backup | 2025-09-23 | N/A | 7.8 HIGH |
|
An insecure file system permissions vulnerability in MSP360 Backup 4.3.1.115 allows a low privileged user to execute commands with root privileges in the 'Online Backup' folder. Upgrade to MSP360 Backup 4.4 (released on 2025-04-22).
|
|||||
| CVE-2025-43596 | 1 Msp360 | 1 Backup | 2025-09-23 | N/A | 7.8 HIGH |
|
An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Upgrade to MSP360 Backup 8.1.1.19 (released on 2025-05-15).
|
|||||
| CVE-2024-6238 | 1 Pgadmin | 1 Pgadmin 4 | 2025-09-23 | N/A | 7.4 HIGH |
|
pgAdmin <= 8.8 has an installation Directory permission issue. Because of this issue, attackers can gain unauthorised access to the installation directory on the Debian or RHEL 8 platforms.
|
|||||
| CVE-2025-10231 | 1 N-able | 1 N-central | 2025-09-22 | N/A | 7.0 HIGH |
|
An Incorrect File Handling Permission bug exists on the N-central Windows Agent and Probe that, in the right circumstances, can allow a local low-level user to run commands with elevated permissions.
|
|||||
| CVE-2025-53947 | 2025-09-19 | N/A | 7.7 HIGH | ||
|
A local attacker with low privileges on the Windows system where the
software is installed can exploit this vulnerability to corrupt
sensitive data. A data folder is created with very weak privileges,
allowing any user logged into the Windows system to modify its content.
|
|||||
| CVE-2025-57625 | 2025-09-17 | N/A | 8.8 HIGH | ||
|
CYRISMA Sensor before 444 for Windows has an Insecure Folder and File Permissions vulnerability. A low-privileged user can abuse these issues to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM by replacing DataSpotliteAgent.exe or any other binaries called by the Cyrisma_Agent service when it starts
|
|||||
| CVE-2025-8672 | 2 Apple, Gimp | 2 Macos, Gimp | 2025-09-12 | N/A | 7.8 HIGH |
|
MacOS version of GIMP bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions
granted by the user to the main application bundle. An attacker with local user access can
invoke this interpreter with arbitrary commands or scripts, leveraging the
application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will promp ...
Show More |
|||||
| CVE-2024-46916 | 1 Dieboldnixdorf | 1 Vynamic Security Suite | 2025-09-09 | N/A | 8.1 HIGH |
|
Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR06 contains functionality that allows the removal of critical system files before the filesystem is properly mounted (e.g., leveraging a delete call in /etc/rc.d/init.d/mountfs to remove the /etc/fstab file). This can allow code execution and, in some versions, enable recovery of TPM Disk Encryption keys and decryption of the Windows system partition.
|
|||||
| CVE-2022-37003 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2025-09-08 | N/A | 9.8 CRITICAL |
|
The AOD module has a vulnerability in permission assignment. Successful exploitation of this vulnerability may cause permission escalation and unauthorized access to files.
|
|||||
| CVE-2024-12564 | 2025-09-08 | N/A | N/A | ||
|
Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation.
|
|||||
| CVE-2025-22425 | 1 Google | 1 Android | 2025-09-05 | N/A | 5.1 MEDIUM |
|
In onCreate of InstallStart.java, there is a possible permissions bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2021-27285 | 1 Inspur | 1 Clusterengine | 2025-09-05 | N/A | 8.4 HIGH |
|
An issue was discovered in Inspur ClusterEngine v4.0 that allows attackers to gain escalated Local privileges and execute arbitrary commands via /opt/tsce4/torque6/bin/getJobsByShell.
|
|||||
| CVE-2024-42053 | 1 Splashtop | 1 Streamer | 2025-09-03 | N/A | 7.8 HIGH |
|
The MSI installer for Splashtop Streamer for Windows before 3.6.0.0 uses a temporary folder with weak permissions during installation. A local user can exploit this to escalate privileges to SYSTEM by placing a version.dll file in the folder.
|
|||||