Total
1321 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4226 | 1 Octopus | 1 Octopus Server | 2025-06-27 | N/A | 3.5 LOW |
| It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed. | |||||
| CVE-2025-39201 | 2025-06-26 | N/A | 6.1 MEDIUM | ||
| A vulnerability exists in MicroSCADA X SYS600 product. If exploited this could allow a local unauthenticated attacker to tamper a system file, making denial of Notify service. | |||||
| CVE-2025-6264 | 2025-06-23 | N/A | 5.5 MEDIUM | ||
| Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch. The Admin.Client.UpdateClientConfig is an artifact used to update the client's configuration. This artifact did not enforce an additional required permission, allowing users with COLLECT_CLIENT permissions (normally given by the "Investigator" role) to collect it from endpoints and update the configuration. This can lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint (i.e. have the COLLECT_CLIENT given typically by the "Investigator' role). | |||||
| CVE-2025-5255 | 2025-06-23 | N/A | N/A | ||
| The Phoenix Code's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da | |||||
| CVE-2025-5963 | 2025-06-23 | N/A | N/A | ||
| The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (em Client) did not cooperate in vulnerability disclosure. | |||||
| CVE-2025-49144 | 2025-06-23 | N/A | 7.3 HIGH | ||
| Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2. | |||||
| CVE-2022-4964 | 1 Canonical | 1 Ubuntu Pipewire-pulse | 2025-06-20 | N/A | 5.5 MEDIUM |
| Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set. | |||||
| CVE-2024-55225 | 1 Dani-garcia | 1 Vaultwarden | 2025-06-20 | N/A | 9.8 CRITICAL |
| An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request. | |||||
| CVE-2023-1907 | 1 Pgadmin | 1 Pgadmin | 2025-06-20 | N/A | 8.0 HIGH |
| A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously. | |||||
| CVE-2024-43176 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-06-20 | N/A | 5.4 MEDIUM |
| IBM OpenPages 9.0 could allow an authenticated user to obtain sensitive information such as configurations that should only be available to privileged users. | |||||
| CVE-2025-48070 | 1 Plane | 1 Plane | 2025-06-20 | N/A | 3.5 LOW |
| Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site scripting (XSS). Version 0.23 fixes the issue. | |||||
| CVE-2024-21123 | 1 Oracle | 1 Database Server | 2025-06-18 | N/A | 2.3 LOW |
| Vulnerability in the Oracle Database Core component of Oracle Database Server. Supported versions that are affected are 19.3-19.23. Easily exploitable vulnerability allows high privileged attacker having SYSDBA privilege with logon to the infrastructure where Oracle Database Core executes to compromise Oracle Database Core. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Core accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | |||||
| CVE-2025-49843 | 2025-06-18 | N/A | N/A | ||
| conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_headers function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write access beyond the intended user/owner. This violates the principle of least privilege, which mandates restricting file permissions to the minimum necessary. An attacker could exploit this to access configuration files in shared hosting environments. This issue has been patched in version 3.47.1. | |||||
| CVE-2025-49842 | 2025-06-17 | N/A | N/A | ||
| conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited. This issue has been patched in version 2025.3.24. | |||||
| CVE-2025-36632 | 2025-06-17 | N/A | 7.8 HIGH | ||
| In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege. | |||||
| CVE-2024-52323 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2025-06-17 | N/A | 8.1 HIGH |
| Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account. | |||||
| CVE-2024-21122 | 1 Oracle | 1 Peoplesoft Enterprise Hcm Shared Components | 2025-06-17 | N/A | 5.4 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise HCM Shared Components product of Oracle PeopleSoft (component: Text Catalog). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Shared Components. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Shared Components, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Shared Components accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Shared Components accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2025-23105 | 1 Samsung | 6 Exynos 1480, Exynos 1480 Firmware, Exynos 2200 and 3 more | 2025-06-13 | N/A | 7.8 HIGH |
| An issue was discovered in Samsung Mobile Processor Exynos 2200, 1480, and 2400. A Use-After-Free in the mobile processor leads to privilege escalation. | |||||
| CVE-2022-41572 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-06-13 | N/A | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork (EON) through 5.3.11. Privilege escalation can be accomplished on the server because nmap can be run as root. The attacker achieves total control over the server. | |||||
| CVE-2025-49006 | 2025-06-12 | N/A | N/A | ||
| Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs before storing / fetching them. This behavior violates OAuth and OpenID Connect specifications and can result in user impersonation, account collisions, and privilege escalation. In practice, out of the OAuth providers that Wasp auth supports, only Keycloak is affected. Keycloak uses a lowercase UUID by default, but users can configure it to be case sensitive, making it affected. Google, GitHub, and Discord use numerical IDs, making them not affected. Users should update their Wasp version to `0.16.6` which has a fix for the problematic behavior. Users using Keycloak can work around the issue by not using a case sensitive user ID in their realm configuration. | |||||