Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11890 | 2025-11-04 | N/A | 7.5 HIGH | ||
|
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue.
|
|||||
| CVE-2025-12350 | 2025-11-04 | N/A | 5.3 MEDIUM | ||
|
The DominoKit plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_ajax_nopriv_dominokit_option_admin_action AJAX endpoint in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update plugin settings.
|
|||||
| CVE-2025-43358 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-11-04 | N/A | 8.8 HIGH |
|
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14.8, iOS 26 and iPadOS 26, macOS Sequoia 15.7, iOS 18.7 and iPadOS 18.7. A shortcut may be able to bypass sandbox restrictions.
|
|||||
| CVE-2025-43341 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 7.8 HIGH |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8. An app may be able to gain root privileges.
|
|||||
| CVE-2025-43329 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-11-04 | N/A | 8.8 HIGH |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26, iOS 26 and iPadOS 26, watchOS 26. An app may be able to break out of its sandbox.
|
|||||
| CVE-2025-43316 | 1 Apple | 2 Macos, Visionos | 2025-11-04 | N/A | 7.8 HIGH |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in visionOS 26. A malicious app may be able to gain root privileges.
|
|||||
| CVE-2025-43311 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 5.1 MEDIUM |
|
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.8, macOS Sequoia 15.7. An app may be able to access protected user data.
|
|||||
| CVE-2025-43286 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 7.8 HIGH |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8, macOS Sequoia 15.7. An app may be able to break out of its sandbox.
|
|||||
| CVE-2024-54466 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.3 MEDIUM |
|
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An encrypted volume may be accessed by a different user without prompting for the password.
|
|||||
| CVE-2024-44265 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 2.4 LOW |
|
The issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker with physical access can input Game Controller events to apps running on a locked device.
|
|||||
| CVE-2025-31194 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
An authentication issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A Shortcut may run with admin privileges without authentication.
|
|||||
| CVE-2025-31182 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-11-03 | N/A | 9.8 CRITICAL |
|
This issue was addressed with improved handling of symlinks. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to delete files for which it does not have permission.
|
|||||
| CVE-2025-30461 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
An access issue was addressed with additional sandbox restrictions on the system pasteboards. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
|
|||||
| CVE-2025-24259 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to retrieve Safari bookmarks without an entitlement check.
|
|||||
| CVE-2025-24249 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to check the existence of an arbitrary path on the file system.
|
|||||
| CVE-2025-24245 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords.
|
|||||
| CVE-2024-44156 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 7.1 HIGH |
|
A path deletion vulnerability was addressed by preventing vulnerable code from running with privileges. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to bypass Privacy preferences.
|
|||||
| CVE-2023-30581 | 1 Nodejs | 1 Node.js | 2025-11-03 | N/A | 7.5 HIGH |
|
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js
|
|||||
| CVE-2025-24181 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
|
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data.
|
|||||
| CVE-2025-24143 | 1 Apple | 4 Ipados, Macos, Safari and 1 more | 2025-11-03 | N/A | 6.5 MEDIUM |
|
The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.
|
|||||
| CVE-2025-24116 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 4.4 MEDIUM |
|
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to bypass Privacy preferences.
|
|||||
| CVE-2025-24108 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
|
An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.3. An app may be able to access protected user data.
|
|||||
| CVE-2025-24096 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3. A malicious app may be able to access arbitrary files.
|
|||||
| CVE-2025-30448 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-11-03 | N/A | 9.1 CRITICAL |
|
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Ventura 13.7.6, macOS Sequoia 15.4. An attacker may be able to turn on sharing of an iCloud folder without authentication.
|
|||||
| CVE-2025-59461 | 1 Sick | 2 Tloc100-100, Tloc100-100 Firmware | 2025-11-03 | N/A | 7.6 HIGH |
|
A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services.
|
|||||
| CVE-2025-43331 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 4.0 MEDIUM |
|
A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access protected user data.
|
|||||
| CVE-2025-43318 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 6.2 MEDIUM |
|
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Tahoe 26. An app with root privileges may be able to access private information.
|
|||||
| CVE-2025-11702 | 1 Gitlab | 1 Gitlab | 2025-11-03 | N/A | 8.5 HIGH |
|
GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.
|
|||||
| CVE-2025-8223 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-10-31 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailab ...
Show More |
|||||
| CVE-2025-62642 | 1 Rbi | 1 Restaurant Brands International Assistant | 2025-10-31 | N/A | 5.8 MEDIUM |
|
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.
|
|||||
| CVE-2025-11705 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
|
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
|
|||||
| CVE-2025-11632 | 2025-10-30 | N/A | 4.3 MEDIUM | ||
|
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc.
This v ...
Show More |
|||||
| CVE-2025-11881 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
|
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.
|
|||||
| CVE-2025-10008 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
|
The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.
|
|||||
| CVE-2025-6205 | 1 3ds | 1 Delmia Apriso | 2025-10-29 | N/A | 9.1 CRITICAL |
|
A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application.
|
|||||
| CVE-2025-41443 | 1 Mattermost | 1 Mattermost Server | 2025-10-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
|
|||||
| CVE-2025-9133 | 1 Zyxel | 17 Atp100, Atp100w, Atp200 and 14 more | 2025-10-28 | N/A | 8.1 HIGH |
|
A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.
|
|||||
| CVE-2025-26370 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.1 HIGH |
|
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.
|
|||||
| CVE-2025-26373 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 6.5 MEDIUM |
|
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
|
|||||
| CVE-2025-26377 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 8.1 HIGH |
|
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.
|
|||||