Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57817 | 1 Ethyca | 1 Fides | 2025-09-10 | N/A | 7.2 HIGH |
|
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with `client:create` or `client:update` permissions to escalate their privileges to owner-level. Version 2.69.1 fixes the issue. No known workarounds are available.
|
|||||
| CVE-2024-38002 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-09-10 | N/A | 9.0 CRITICAL |
|
The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API.
|
|||||
| CVE-2025-59017 | 1 Typo3 | 1 Typo3 | 2025-09-10 | N/A | 8.8 HIGH |
|
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.
|
|||||
| CVE-2025-32688 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in Sovica Target Video Easy Publish. This issue affects Target Video Easy Publish: from n/a through 3.8.8.
|
|||||
| CVE-2025-42915 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
|
Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentiality and integrity of the application without affecting the availability.
|
|||||
| CVE-2025-42912 | 2025-09-09 | N/A | 6.5 MEDIUM | ||
|
SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected.
|
|||||
| CVE-2025-42913 | 2025-09-09 | N/A | 3.1 LOW | ||
|
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted.
|
|||||
| CVE-2025-9542 | 2025-09-09 | N/A | 5.4 MEDIUM | ||
|
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
|
|||||
| CVE-2025-42914 | 2025-09-09 | N/A | 3.1 LOW | ||
|
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted.
|
|||||
| CVE-2025-42917 | 2025-09-09 | N/A | 6.5 MEDIUM | ||
|
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected.
|
|||||
| CVE-2025-47792 | 1 Nextcloud | 1 Desktop | 2025-09-08 | N/A | 5.0 MEDIUM |
|
Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known workarounds are available.
|
|||||
| CVE-2025-48547 | 1 Google | 1 Android | 2025-09-08 | N/A | 7.3 HIGH |
|
In multiple locations, there is a possible one-time permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-0028 | 1 Google | 1 Android | 2025-09-08 | N/A | 5.5 MEDIUM |
|
In Audio Service, there is a possible way to obtain MAC addresses of nearby Bluetooth devices due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-36326 | 2025-09-08 | N/A | 8.4 HIGH | ||
|
Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity.
|
|||||
| CVE-2025-7040 | 2025-09-08 | N/A | 8.2 HIGH | ||
|
The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user’s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change crit ...
Show More |
|||||
| CVE-2025-26437 | 1 Google | 1 Android | 2025-09-08 | N/A | 5.5 MEDIUM |
|
In CredentialManagerServiceStub of CredentialManagerService.java, there is a possible way to retrieve candidate credentials due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-26445 | 1 Google | 1 Android | 2025-09-08 | N/A | 5.5 MEDIUM |
|
In offerNetwork of ConnectivityService.java, there is a possible leak of sensitive data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-26440 | 1 Google | 1 Android | 2025-09-08 | N/A | 7.8 HIGH |
|
In multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-26450 | 1 Google | 1 Android | 2025-09-08 | N/A | 7.8 HIGH |
|
In onInputEvent of IInputMethodSessionWrapper.java, there is a possible way for an untrusted app to inject key and motion events to the default IME due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48524 | 1 Google | 1 Android | 2025-09-08 | N/A | 5.5 MEDIUM |
|
In isSystem of WifiPermissionsUtil.java, there is a possible permission bypass due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-0076 | 1 Google | 1 Android | 2025-09-05 | N/A | 3.3 LOW |
|
In multiple locations, there is a possible way to view icons belonging to another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-22414 | 1 Google | 1 Android | 2025-09-05 | N/A | 7.8 HIGH |
|
In FrpBypassAlertActivity of FrpBypassAlertActivity.java, there is a possible way to bypass FRP due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48549 | 1 Google | 1 Android | 2025-09-05 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible way to record audio via a background app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-58816 | 2025-09-05 | N/A | 3.5 LOW | ||
|
Missing Authorization vulnerability in Plugin Devs Product Carousel Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Carousel Slider for Elementor: from n/a through 2.1.3.
|
|||||
| CVE-2025-58813 | 2025-09-05 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in ThemeArile Consultstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Consultstreet: from n/a through 3.0.0.
|
|||||
| CVE-2025-58817 | 2025-09-05 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in DesertThemes SoftMe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SoftMe: from n/a through 1.1.24.
|
|||||
| CVE-2025-58785 | 2025-09-05 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in jbhovik Ray Enterprise Translation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ray Enterprise Translation: from n/a through 1.7.1.
|
|||||
| CVE-2025-58783 | 2025-09-05 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in gutentor Gutentor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutentor: from n/a through 3.5.1.
|
|||||
| CVE-2025-58824 | 2025-09-05 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in webriti Shk Corporate allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shk Corporate: from n/a through 2.4.1.1.
|
|||||
| CVE-2025-53571 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.6.
|
|||||
| CVE-2025-54744 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.15.
|
|||||
| CVE-2025-3124 | 1 Github | 1 Enterprise Server | 2025-09-05 | N/A | 4.3 MEDIUM |
|
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn't otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Overview was required to be filtered only using the `archived:` filter and all other access controls were functioning normally. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.17 and was fixed in versions 3.13.14, 3 ...
Show More |
|||||
| CVE-2024-54679 | 1 Cyberpanel | 1 Cyberpanel | 2025-09-05 | N/A | 4.3 MEDIUM |
|
CyberPanel (aka Cyber Panel) before 6778ad1 does not require the FilemanagerAdmin capability for restartMySQL actions.
|
|||||
| CVE-2025-52554 | 1 N8n | 1 N8n | 2025-09-04 | N/A | 4.3 MEDIUM |
|
n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.
|
|||||
| CVE-2025-9747 | 1 Benjaminjonard | 1 Koillection | 2025-09-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor expla ...
Show More |
|||||
| CVE-2025-22439 | 1 Google | 1 Android | 2025-09-04 | N/A | 7.3 HIGH |
|
In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2025-9219 | 2025-09-04 | N/A | 4.3 MEDIUM | ||
|
The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
|
|||||
| CVE-2025-3701 | 2025-09-04 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through 16.8.
|
|||||
| CVE-2025-58600 | 2025-09-04 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Member Subscriptions: from n/a through 2.15.9.
|
|||||
| CVE-2025-58634 | 2025-09-04 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in peachpay PeachPay Payments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PeachPay Payments: from n/a through 1.117.4.
|
|||||