Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46745 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
|
An authenticated user without user-management permissions could view other users account information.
|
|||||
| CVE-2025-5692 | 1 Smackcoders | 1 Lead Form Data Collection To Crm | 2025-09-30 | N/A | 6.3 MEDIUM |
|
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was deter ...
Show More |
|||||
| CVE-2021-39810 | 1 Google | 1 Android | 2025-09-30 | N/A | 7.8 HIGH |
|
In verifyDefaults of CardEmulationManager.java, there is a possible way to set a third party app as the default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-50052 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
|
|||||
| CVE-2025-53374 | 1 Dokploy | 1 Dokploy | 2025-09-29 | N/A | 4.3 MEDIUM |
|
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The response discloses personally-identifiable information (PII) such as e-mail address, role, two-factor status, organization ID, and various account flags. The fix will be available in the v0.23.7.
|
|||||
| CVE-2025-10871 | 1 Gitlab | 1 Gitlab | 2025-09-29 | N/A | 3.8 LOW |
|
An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges.
|
|||||
| CVE-2025-46586 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 5.1 MEDIUM |
|
Permission control vulnerability in the contacts module
Impact: Successful exploitation of this vulnerability may affect availability.
|
|||||
| CVE-2025-31171 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.8 MEDIUM |
|
File read permission bypass vulnerability in the kernel file system module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-5899 | 1 Google | 3 Bazel For Android Studio, Bazel For Clion, Bazel For Intellij | 2025-09-26 | N/A | 3.3 LOW |
|
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This method, as its name suggests is intended to create a new project, not to import an existing one.
We recommend upgrading to version 2024.06.04.0.2 or beyond for the IntelliJ, CLion and Android Studio Baz ...
Show More |
|||||
| CVE-2025-60143 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in netgsm Netgsm allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Netgsm: from n/a through 2.9.58.
|
|||||
| CVE-2025-60130 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in wedos.com WEDOS Global allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEDOS Global: from n/a through 1.2.2.
|
|||||
| CVE-2025-60096 | 2025-09-26 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5.
|
|||||
| CVE-2025-48326 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Acclectic Media Acclectic Media Organizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Acclectic Media Organizer: from n/a through 1.4.
|
|||||
| CVE-2025-60155 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in loopus WP Virtual Assistant allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Virtual Assistant: from n/a through 3.0.
|
|||||
| CVE-2025-10173 | 2025-09-26 | N/A | 2.7 LOW | ||
|
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
|
|||||
| CVE-2025-60097 | 2025-09-26 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in CodexThemes TheGem allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem: from n/a through 5.10.5.
|
|||||
| CVE-2025-60165 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in HaruTheme Frames allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frames: from n/a through 1.5.7.
|
|||||
| CVE-2025-60127 | 2025-09-26 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in ArtistScope CopySafe Web Protection allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CopySafe Web Protection: from n/a through 4.3.
|
|||||
| CVE-2025-59011 | 2025-09-26 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in shinetheme Traveler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Traveler: from n/a through n/a.
|
|||||
| CVE-2025-60098 | 2025-09-26 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Jeff Farthing Theme My Login allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theme My Login: from n/a through 7.1.12.
|
|||||
| CVE-2025-60103 | 2025-09-26 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in CridioStudio ListingPro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro: from n/a through 2.9.8.
|
|||||
| CVE-2025-60123 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HivePress Claim Listings: from n/a through 1.1.3.
|
|||||
| CVE-2025-58919 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in guihom Wide Banner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wide Banner: from n/a through 1.0.4.
|
|||||
| CVE-2025-60121 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Ex-Themes WooEvents allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooEvents: from n/a through 4.1.7.
|
|||||
| CVE-2025-60094 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Benjamin Intal Stackable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stackable: from n/a through 3.18.1.
|
|||||
| CVE-2025-60128 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in WP Delicious Delisho allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Delisho: from n/a through 1.1.3.
|
|||||
| CVE-2025-60159 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nota Fiscal Eletrônica WooCommerce: from n/a through 3.4.0.6.
|
|||||
| CVE-2025-60122 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in HivePress HivePress Claim Listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HivePress Claim Listings: from n/a through 1.1.3.
|
|||||
| CVE-2025-60106 | 2025-09-26 | N/A | 4.9 MEDIUM | ||
|
Missing Authorization vulnerability in Roxnor EmailKit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EmailKit: from n/a through 1.6.0.
|
|||||
| CVE-2025-60120 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in wpdirectorykit WP Directory Kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Directory Kit: from n/a through 1.3.8.
|
|||||
| CVE-2025-9984 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, and including, 5.2.7. This makes it possible for unauthenticated attackers to read private/password protected posts.
|
|||||
| CVE-2025-60129 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Yext Yext allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yext: from n/a through 1.1.3.
|
|||||
| CVE-2025-60166 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in wpshuffle WP Subscription Forms PRO allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscription Forms PRO: from n/a through 2.0.5.
|
|||||
| CVE-2025-60148 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in wpshuffle Subscribe to Download allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe to Download: from n/a through 2.0.9.
|
|||||
| CVE-2025-60152 | 2025-09-26 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in wpshuffle Subscribe To Unlock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Subscribe To Unlock: from n/a through 1.1.5.
|
|||||
| CVE-2025-54458 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 5.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint.
|
|||||
| CVE-2025-53910 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 4.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint.
|
|||||
| CVE-2025-53857 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 3.7 LOW |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.
|
|||||
| CVE-2025-48731 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 6.4 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
|
|||||
| CVE-2025-44001 | 1 Mattermost | 1 Confluence | 2025-09-25 | N/A | 4.0 MEDIUM |
|
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.
|
|||||