Total
1434 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7628 | 1 Inspireui | 1 Mstore Api | 2025-05-21 | N/A | 8.1 HIGH |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set up firebase for their account. | |||||
| CVE-2025-48391 | 2025-05-21 | N/A | 7.7 HIGH | ||
| In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API | |||||
| CVE-2025-4008 | 2025-05-21 | N/A | N/A | ||
| The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. | |||||
| CVE-2025-47850 | 2025-05-21 | N/A | 4.3 MEDIUM | ||
| In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning | |||||
| CVE-2025-36535 | 2025-05-21 | N/A | 10.0 CRITICAL | ||
| The embedded web server lacks authentication and access controls, allowing unrestricted remote access. This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality. | |||||
| CVE-2025-27803 | 2025-05-21 | N/A | 6.5 MEDIUM | ||
| The devices do not implement any authentication for the web interface or the MQTT server. An attacker who has network access to the device immediately gets administrative access to the devices and can perform arbitrary administrative actions and reconfigure the devices or potentially gain access to sensitive data. | |||||
| CVE-2024-21007 | 1 Oracle | 1 Weblogic Server | 2025-05-21 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2025-0129 | 2025-05-21 | N/A | N/A | ||
| An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. This enables the user to use Prisma Access Browser without any restrictions. | |||||
| CVE-2025-0132 | 2025-05-16 | N/A | N/A | ||
| A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM. The attacker must have network access to the Broker VM to exploit this issue. | |||||
| CVE-2025-32738 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
| Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings. | |||||
| CVE-2024-42178 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 2.5 LOW |
| HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution. | |||||
| CVE-2022-35136 | 1 Boodskap | 1 Iot Platform | 2025-05-15 | N/A | 6.5 MEDIUM |
| Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. | |||||
| CVE-2024-46506 | 2025-05-13 | N/A | 10.0 CRITICAL | ||
| NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php. | |||||
| CVE-2024-23815 | 2025-05-13 | N/A | 7.5 HIGH | ||
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | |||||
| CVE-2025-44039 | 2025-05-13 | N/A | 5.1 MEDIUM | ||
| CP-XR-DE21-S -4G Router Firmware version 1.031.022 was discovered to contain insecure protections for its UART console. This vulnerability allows local attackers to connect to the UART port via a serial connection, read all boot sequence, and revealing internal system details and sensitive information without any authentication. | |||||
| CVE-2025-4382 | 2025-05-12 | N/A | 5.9 MEDIUM | ||
| A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern. | |||||
| CVE-2025-4560 | 2025-05-12 | N/A | 6.5 MEDIUM | ||
| The ISOinsight from Netvision has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access certain system functions. These functions include viewing the administrator list, viewing and editing IP settings, and uploading files. | |||||
| CVE-2025-4555 | 2025-05-12 | N/A | 9.8 CRITICAL | ||
| The web management interface of Okcat Parking Management Platform from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access system functions. These functions include opening gates, viewing license plates and parking records, and restarting the system. | |||||
| CVE-2025-4557 | 2025-05-12 | N/A | 9.1 CRITICAL | ||
| The specific APIs of Parking Management System from ZONG YU has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific APIs and operate system functions. These functions include opening gates and restarting the system. | |||||
| CVE-2022-3327 | 1 Ikus-soft | 1 Rdiffweb | 2025-05-09 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | |||||