Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29840 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 7.5 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin value of any user
|
|||||
| CVE-2024-29841 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 7.5 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_KEYS_FIELDS, allowing for an unauthenticated attacker to return the keys value of any user
|
|||||
| CVE-2024-29837 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 8.8 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in.
|
|||||
| CVE-2024-29836 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 9.8 CRITICAL |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site.
|
|||||
| CVE-2024-29839 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 7.5 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value data of any user
|
|||||
| CVE-2025-59810 | 1 Fortinet | 1 Fortisoar | 2025-12-09 | N/A | 6.5 MEDIUM |
|
An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests
|
|||||
| CVE-2025-65796 | 1 Usememos | 1 Memos | 2025-12-09 | N/A | 4.3 MEDIUM |
|
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.
|
|||||
| CVE-2025-65798 | 1 Usememos | 1 Memos | 2025-12-09 | N/A | 5.4 MEDIUM |
|
Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.
|
|||||
| CVE-2025-65795 | 1 Usememos | 1 Memos | 2025-12-09 | N/A | 7.5 HIGH |
|
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.
|
|||||
| CVE-2025-66557 | 1 Nextcloud | 1 Deck | 2025-12-09 | N/A | 5.4 MEDIUM |
|
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
|
|||||
| CVE-2025-59702 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 7.2 HIGH |
|
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components.
|
|||||
| CVE-2025-59703 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 9.1 CRITICAL |
|
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack.
|
|||||
| CVE-2025-59697 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-08 | N/A | 7.2 HIGH |
|
Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host OS. This is called F06.
|
|||||
| CVE-2025-66509 | 2025-12-08 | N/A | N/A | ||
|
LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution.
|
|||||
| CVE-2025-14197 | 2025-12-08 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A security vulnerability has been detected in Verysync 微力同步 up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-61229 | 1 Shirt-pocket | 1 Superduper\! | 2025-12-08 | N/A | 7.8 HIGH |
|
An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls.
|
|||||
| CVE-2025-64746 | 1 Monospace | 1 Directus | 2025-12-08 | N/A | 4.6 MEDIUM |
|
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they s ...
Show More |
|||||
| CVE-2025-12331 | 1 Matthewdeaves | 1 Willow Cms | 2025-12-08 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A weakness has been identified in Willow CMS up to 1.4.0. Impacted is an unknown function of the file /admin/images/add. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
|
|||||
| CVE-2024-5814 | 1 Wolfssl | 1 Wolfssl | 2025-12-06 | N/A | 5.3 MEDIUM |
|
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
|
|||||
| CVE-2025-13785 | 1 Yungifez | 1 Skuul | 2025-12-06 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-57213 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | N/A | 7.5 HIGH |
|
Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request.
|
|||||
| CVE-2025-57212 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | N/A | 7.5 HIGH |
|
Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.
|
|||||
| CVE-2025-57210 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | N/A | 7.5 HIGH |
|
Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.
|
|||||
| CVE-2025-46608 | 1 Dell | 1 Data Lakehouse | 2025-12-05 | N/A | 9.1 CRITICAL |
|
Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity.
|
|||||
| CVE-2025-54338 | 1 Desktopalert | 1 Pingalert Application Server | 2025-12-05 | N/A | 7.5 HIGH |
|
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes.
|
|||||
| CVE-2025-54563 | 1 Desktopalert | 1 Pingalert Application Server | 2025-12-05 | N/A | 7.5 HIGH |
|
An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure.
|
|||||
| CVE-2025-63681 | 1 Openwebui | 1 Open Webui | 2025-12-05 | N/A | 4.3 MEDIUM |
|
open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks.
|
|||||
| CVE-2025-57489 | 1 Shirt-pocket | 1 Superduper\! | 2025-12-05 | N/A | 8.1 HIGH |
|
Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary.
|
|||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | N/A | 9.8 CRITICAL |
|
Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.
|
|||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | N/A | 7.5 HIGH |
|
Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.
|
|||||
| CVE-2025-66028 | 1 Hackerbay | 1 Oneuptime | 2025-12-05 | N/A | 8.2 HIGH |
|
OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have suff ...
Show More |
|||||
| CVE-2025-6680 | 1 Themeum | 1 Tutor Lms | 2025-12-05 | N/A | 4.3 MEDIUM |
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
|
|||||
| CVE-2025-64715 | 1 Cilium | 1 Cilium | 2025-12-04 | N/A | 4.0 MEDIUM |
|
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic ...
Show More |
|||||
| CVE-2025-56396 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | N/A | 8.8 HIGH |
|
An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.
|
|||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | N/A | 7.5 HIGH |
|
Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.
|
|||||
| CVE-2025-62509 | 1 Filerise | 1 Filerise | 2025-12-04 | N/A | 8.1 HIGH |
|
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. Thi ...
Show More |
|||||
| CVE-2025-62510 | 1 Filerise | 1 Filerise | 2025-12-04 | N/A | 8.1 HIGH |
|
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, ...
Show More |
|||||
| CVE-2025-37155 | 1 Hpe | 1 Arubaos-cx | 2025-12-04 | N/A | 7.8 HIGH |
|
A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.
|
|||||
| CVE-2025-46175 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | N/A | 7.5 HIGH |
|
Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.
|
|||||
| CVE-2025-13949 | 2025-12-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||