Total
1559 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37767 | 1 B1ackc4t | 1 14finger | 2025-07-01 | N/A | 7.5 HIGH |
| Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request. | |||||
| CVE-2022-38057 | 1 Themehunk | 1 Th Advance Product Search | 2025-06-30 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.2.1. | |||||
| CVE-2025-3699 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3.37 and prior, G-50-W Version 3.37 and prior, G-50A Version 3.37 and prior, GB-50 Version 3.37 and prior, GB-50A Version 3.37 and prior, GB-24A Version 9.12 and prior, G-150AD Version 3.21 and prior, AG-150A-A Version 3.21 and prior, AG-150A-J Version 3.21 and prior, GB-50AD Version 3.21 and prior, GB-50ADA-A Version 3.21 and prior, GB-50ADA-J Version 3.21 and prior, EB-50GU-A Version 7.11 and prior, EB-50GU-J Version 7.11 and prior, AE-200J Version 8.01 and prior, AE-200A Version 8.01 and prior, AE-200E Version 8.01 and prior, AE-50J Version 8.01 and prior, AE-50A Version 8.01 and prior, AE-50E Version 8.01 and prior, EW-50J Version 8.01 and prior, EW-50A Version 8.01 and prior, EW-50E Version 8.01 and prior, TE-200A Version 8.01 and prior, TE-50A Version 8.01 and prior, TW-50A Version 8.01 and prior, and CMS-RMD-J Version 1.40 and prior allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information. | |||||
| CVE-2025-6763 | 2025-06-30 | 6.8 MEDIUM | 7.5 HIGH | ||
| A vulnerability classified as critical was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. This vulnerability affects unknown code of the file /setupA.cfg of the component Web-based Management Interface. The manipulation leads to missing authentication. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-8419 | 2025-06-30 | N/A | 7.5 HIGH | ||
| The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication. | |||||
| CVE-2025-5310 | 2025-06-30 | N/A | 9.8 CRITICAL | ||
| Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | |||||
| CVE-2025-0108 | 1 Paloaltonetworks | 1 Pan-os | 2025-06-27 | N/A | 9.1 CRITICAL |
| An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software. | |||||
| CVE-2025-32978 | 2025-06-26 | N/A | 7.5 HIGH | ||
| Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service. | |||||
| CVE-2025-3090 | 2025-06-26 | N/A | 8.2 HIGH | ||
| An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function. | |||||
| CVE-2025-34039 | 2025-06-26 | N/A | N/A | ||
| A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. | |||||
| CVE-2025-6678 | 2025-06-26 | N/A | 7.5 HIGH | ||
| Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352. | |||||
| CVE-2025-21535 | 1 Oracle | 1 Weblogic Server | 2025-06-23 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2023-51947 | 1 Actidata | 2 Actinas Sl 2u-8 Rdx, Actinas Sl 2u-8 Rdx Firmware | 2025-06-20 | N/A | 9.1 CRITICAL |
| Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication. | |||||
| CVE-2023-51987 | 1 Dlink | 2 Dir-822, Dir-822 Firmware | 2025-06-20 | N/A | 9.8 CRITICAL |
| D-Link DIR-822+ V1.0.2 contains a login bypass in the HNAP1 interface, which allows attackers to log in to administrator accounts with empty passwords. | |||||
| CVE-2025-26468 | 1 Cyberdata | 1 011209 Sip Emergency Intercom | 2025-06-20 | N/A | 7.5 HIGH |
| CyberData 011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption. | |||||
| CVE-2023-39457 | 1 Trianglemicroworks | 1 Scada Data Gateway | 2025-06-17 | N/A | 9.8 CRITICAL |
| Triangle MicroWorks SCADA Data Gateway Missing Authentication Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists due to the lack of user authentication. The issue results from missing authentication in the default system configuration. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-20501. | |||||
| CVE-2023-39466 | 1 Trianglemicroworks | 1 Scada Data Gateway | 2025-06-17 | N/A | 5.3 MEDIUM |
| Triangle MicroWorks SCADA Data Gateway get_config Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the get_config endpoint. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose sensitive information. Was ZDI-CAN-20797. | |||||
| CVE-2024-3701 | 1 Tecno | 1 Hios | 2025-06-17 | N/A | 9.8 CRITICAL |
| The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services. | |||||
| CVE-2024-46506 | 1 Netalertx | 1 Netalertx | 2025-06-17 | N/A | 10.0 CRITICAL |
| NetAlertX 23.01.14 through 24.x before 24.10.12 allows unauthenticated command injection via settings update because function=savesettings lacks an authentication requirement, as exploited in the wild in May 2025. This is related to settings.php and util.php. | |||||
| CVE-2024-1076 | 1 Sslzen | 1 Ssl Zen | 2025-06-17 | N/A | 6.5 MEDIUM |
| The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX. | |||||