Total
4065 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8196 | 1 Citrix | 8 4000-wo, 4100-wo, 5000-wo and 5 more | 2025-10-30 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
|
|||||
| CVE-2021-22893 | 1 Ivanti | 1 Connect Secure | 2025-10-30 | 7.5 HIGH | 10.0 CRITICAL |
|
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
|
|||||
| CVE-2020-8193 | 1 Citrix | 8 4000-wo, 4100-wo, 5000-wo and 5 more | 2025-10-30 | 5.0 MEDIUM | 6.5 MEDIUM |
|
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
|
|||||
| CVE-2022-23134 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Zabbix | 2025-10-30 | 5.0 MEDIUM | 3.7 LOW |
|
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend.
|
|||||
| CVE-2024-37085 | 1 Vmware | 2 Cloud Foundation, Esxi | 2025-10-30 | N/A | 6.8 MEDIUM |
|
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
|
|||||
| CVE-2025-11633 | 1 Furbo | 4 Furbo 360 Dog Camera, Furbo 360 Dog Camera Firmware, Furbo Mini and 1 more | 2025-10-30 | 2.6 LOW | 3.7 LOW |
|
A vulnerability was identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is the function upload_file_to_s3 of the file collect_logs.sh of the component HTTP Traffic Handler. The manipulation leads to improper certificate validation. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation is known to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. ...
Show More |
|||||
| CVE-2025-41110 | 1 Ghostrobotics | 2 Vision 60, Vision 60 Firmware | 2025-10-30 | N/A | 8.8 HIGH |
|
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
|
|||||
| CVE-2012-5887 | 1 Apache | 1 Tomcat | 2025-10-30 | 5.0 MEDIUM | N/A |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.
|
|||||
| CVE-2025-25450 | 1 Mytaag | 1 Mytaag | 2025-10-30 | N/A | 5.1 MEDIUM |
|
An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a remote attacker to escalate privileges via the deactivation of the activated second factor to the /session endpoint
|
|||||
| CVE-2025-25451 | 1 Mytaag | 1 Mytaag | 2025-10-30 | N/A | 5.1 MEDIUM |
|
An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a physically proximate attacker to escalate privileges via the "2fa_authorized" Local Storage key
|
|||||
| CVE-2025-25452 | 1 Mytaag | 1 Mytaag | 2025-10-30 | N/A | 5.1 MEDIUM |
|
An issue in TAAGSOLUTIONS GmbH MyTaag v.2024-11-24 and before allows a remote attacker to escalate privileges via the "/user" endpoint
|
|||||
| CVE-2020-0688 | 1 Microsoft | 1 Exchange Server | 2025-10-29 | 9.0 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
|
|||||
| CVE-2025-9063 | 1 Rockwellautomation | 1 Factorytalk View | 2025-10-28 | N/A | 9.8 CRITICAL |
|
An authentication bypass security issue exists within FactoryTalk View Machine Edition Web Browser ActiveX control. Exploitation of this vulnerability allows unauthorized access to the PanelView Plus 7 Series B, including access to the file system, retrieval of diagnostic information, event logs, and more.
|
|||||
| CVE-2025-9064 | 1 Rockwellautomation | 1 Factorytalk View | 2025-10-28 | N/A | 9.1 CRITICAL |
|
A path traversal security issue exists within FactoryTalk View Machine Edition, allowing unauthenticated attackers on the same network as the device to delete any file within the panels operating system. Exploitation of this vulnerability is dependent on the knowledge of filenames to be deleted.
|
|||||
| CVE-2024-21410 | 1 Microsoft | 1 Exchange Server | 2025-10-28 | N/A | 9.8 CRITICAL |
|
Microsoft Exchange Server Elevation of Privilege Vulnerability
|
|||||
| CVE-2025-62717 | 1 Emlog | 1 Emlog | 2025-10-28 | N/A | 9.1 CRITICAL |
|
Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been fixed in commit 1f726df.
|
|||||
| CVE-2024-49039 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-10-28 | N/A | 8.8 HIGH |
|
Windows Task Scheduler Elevation of Privilege Vulnerability
|
|||||
| CVE-2023-20867 | 3 Debian, Fedoraproject, Vmware | 3 Debian Linux, Fedora, Tools | 2025-10-28 | N/A | 3.9 LOW |
|
A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
|
|||||
| CVE-2025-49706 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-10-27 | N/A | 6.5 MEDIUM |
|
Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
|
|||||
| CVE-2025-61882 | 1 Oracle | 1 Concurrent Processing | 2025-10-27 | N/A | 9.8 CRITICAL |
|
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CV ...
Show More |
|||||
| CVE-2025-61884 | 1 Oracle | 1 Configurator | 2025-10-27 | N/A | 7.5 HIGH |
|
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVS ...
Show More |
|||||
| CVE-2024-8956 | 1 Ptzoptics | 4 Pt30x-ndi-xx-g2, Pt30x-ndi-xx-g2 Firmware, Pt30x-sdi and 1 more | 2025-10-27 | N/A | 9.1 CRITICAL |
|
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.
|
|||||
| CVE-2025-6979 | 2025-10-27 | N/A | 8.8 HIGH | ||
|
Captive Portal can allow authentication bypass
|
|||||
| CVE-2025-62169 | 2025-10-27 | N/A | 8.1 HIGH | ||
|
OctoPrint-SpoolManager is a plugin for managing spools and all their usage metadata. In versions 1.8.0a2 and older of the testing branch and versions 1.7.7 and older of the stable branch, the APIs of the OctoPrint-SpoolManager plugin do not correctly enforce authentication or authorization checks. This issue has been patched in versions 1.8.0a3 of the testing branch and 1.7.8 of the stable branch. The impact of this vulnerability is greatly reduced when using OctoPrint version 1.11.2 and newer.
|
|||||
| CVE-2025-55340 | 1 Microsoft | 9 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 6 more | 2025-10-24 | N/A | 7.0 HIGH |
|
Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally.
|
|||||
| CVE-2021-32648 | 1 Octobercms | 1 October | 2025-10-24 | 6.4 MEDIUM | 8.2 HIGH |
|
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
|
|||||
| CVE-2021-39226 | 2 Fedoraproject, Grafana | 2 Fedora, Grafana | 2025-10-24 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regar ...
Show More |
|||||
| CVE-2024-7593 | 1 Ivanti | 1 Virtual Traffic Management | 2025-10-24 | N/A | 9.8 CRITICAL |
|
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
|
|||||
| CVE-2020-12812 | 1 Fortinet | 1 Fortios | 2025-10-24 | 7.5 HIGH | 9.8 CRITICAL |
|
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
|
|||||
| CVE-2025-56447 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
|
TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.
|
|||||
| CVE-2025-60772 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
|
Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests.
|
|||||
| CVE-2013-0625 | 4 Adobe, Apple, Microsoft and 1 more | 4 Coldfusion, Mac Os X, Windows and 1 more | 2025-10-22 | 6.8 MEDIUM | 9.8 CRITICAL |
|
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.
|
|||||
| CVE-2016-7836 | 1 Skygroup | 1 Skysea Client View | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
|
SKYSEA Client View Ver.11.221.03 and earlier allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.
|
|||||
| CVE-2015-7755 | 1 Juniper | 1 Screenos | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
|
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
|
|||||
| CVE-2015-1187 | 2 Dlink, Trendnet | 30 Dir-626l, Dir-626l Firmware, Dir-636l and 27 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
|
The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp.
|
|||||
| CVE-2025-11852 | 2025-10-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability was found in Apeman ID71 218.53.203.117. The impacted element is an unknown function of the file /onvif/device_service of the component ONVIF Service. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-59280 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-20 | N/A | 3.1 LOW |
|
Improper authentication in Windows SMB Client allows an unauthorized attacker to perform tampering over a network.
|
|||||
| CVE-2025-55293 | 1 Meshtastic | 1 Meshtastic Firmware | 2025-10-17 | N/A | 9.4 CRITICAL |
|
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
|
|||||
| CVE-2025-55234 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-17 | N/A | 8.8 HIGH |
|
SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.
The SMB Server already supports mechanisms for hardening against relay attacks:
SMB Server signing
SMB Server Extended Protection for Authentication (EPA)
Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their envir ...
Show More |
|||||
| CVE-2025-53778 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-17 | N/A | 8.8 HIGH |
|
Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network.
|
|||||