Total
3015 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59943 | 2025-10-03 | N/A | 8.1 HIGH | ||
| phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13. | |||||
| CVE-2025-36351 | 1 Ibm | 1 License Metric Tool | 2025-10-03 | N/A | 4.3 MEDIUM |
| IBM License Metric Tool 9.2.0 through 9.2.40 could allow an authenticated user to bypass access controls in the REST API interface and perform unauthorized actions. | |||||
| CVE-2023-50300 | 1 Ibm | 1 Transformation Extender Advanced | 2025-10-03 | N/A | 5.1 MEDIUM |
| IBM Transformation Extender Advanced 10.0.1 could allow a local user to perform unauthorized actions due to improper access controls. | |||||
| CVE-2025-54591 | 1 Freshrss | 1 Freshrss | 2025-10-03 | N/A | 7.5 HIGH |
| FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make sure that every action requires access. If one doesn't, then every action has to check for access manually, and certain endpoints use neither the firstAction() method, or do they perform a manual access check. This issue is fixed in version 1.27.0. | |||||
| CVE-2025-54875 | 1 Freshrss | 1 Freshrss | 2025-10-03 | N/A | 9.8 CRITICAL |
| FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0. | |||||
| CVE-2025-11078 | 1 Angeljudesuarez | 1 Open Source Job Portal | 2025-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in itsourcecode Open Source Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/user/controller.php?action=photos. The manipulation of the argument photo leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-4291 | 1 Ideacms | 1 Ideacms | 2025-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in IdeaCMS up to 1.6. Affected is the function saveUpload. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-11103 | 1 Projectworlds | 1 Online Tours And Travels | 2025-10-03 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in Projectworlds Online Tours and Travels 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/change-image.php. The manipulation of the argument packageimage leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2024-45432 | 1 Opensynergy | 1 Blue Sdk | 2025-10-02 | N/A | 7.5 HIGH |
| OpenSynergy BlueSDK (aka Blue SDK) through 6.x mishandles a function call. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from an incorrect variable used as a function argument. An attacker can leverage this to cause unexpected behavior or obtain sensitive information. | |||||
| CVE-2025-10321 | 1 Wavlink | 2 Wl-wn578w2, Wl-wn578w2 Firmware | 2025-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is an unknown function of the file /live_online.shtml. Executing manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-57266 | 2025-10-02 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint. | |||||
| CVE-2025-11163 | 2025-10-02 | N/A | 4.3 MEDIUM | ||
| The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings. | |||||
| CVE-2025-55797 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed. | |||||
| CVE-2025-10847 | 2025-10-02 | N/A | N/A | ||
| DX Unified Infrastructure Management (Nimsoft/UIM) and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system. | |||||
| CVE-2025-20366 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs. | |||||
| CVE-2025-59951 | 2025-10-02 | N/A | N/A | ||
| Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The official Docker image for Termix versions 1.5.0 and below, due to being configured with an Nginx reverse proxy, causes the backend to retrieve the proxy's IP instead of the client's IP when using the req.ip method. This results in isLocalhost always returning True. Consequently, the /ssh/db/host/internal endpoint can be accessed directly without login or authentication. This endpoint records the system's stored SSH host information, including addresses, usernames, and passwords, posing an extremely high security risk. Users who use the official Termix docker image, build their own image using the official dockerfile, or utilize reverse proxy functionality will be affected by this vulnerability. This issue is fixed in version 1.6.0. | |||||
| CVE-2025-58055 | 2025-10-02 | N/A | 4.3 MEDIUM | ||
| Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |||||
| CVE-2025-54116 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-10-02 | N/A | 7.3 HIGH |
| Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2024-41912 | 1 Hp | 1 Poly Clariti Manager | 2025-10-02 | N/A | 9.8 CRITICAL |
| A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware flaw does not properly implement access controls. | |||||
| CVE-2025-54098 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-02 | N/A | 7.8 HIGH |
| Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | |||||