Total
2135 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10219 | 1 Gitlab | 1 Gitlab | 2025-08-14 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. | |||||
| CVE-2024-39690 | 1 Projectcapsule | 1 Capsule | 2025-08-14 | N/A | 8.4 HIGH |
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch. | |||||
| CVE-2025-8068 | 1 Hasthemes | 1 Ht Mega | 2025-08-13 | N/A | 4.3 MEDIUM |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash. | |||||
| CVE-2025-8796 | 2025-08-13 | 5.5 MEDIUM | 5.4 MEDIUM | ||
| A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-42124 | 1 Avast | 1 Premium Security | 2025-08-13 | N/A | 7.8 HIGH |
| Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the sandbox feature. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code outside the sandbox at medium integrity. . Was ZDI-CAN-20178. | |||||
| CVE-2025-2242 | 1 Gitlab | 1 Gitlab | 2025-08-13 | N/A | 7.5 HIGH |
| An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects. | |||||
| CVE-2025-8807 | 2025-08-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-42951 | 2025-08-12 | N/A | 8.8 HIGH | ||
| Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application. | |||||
| CVE-2024-41979 | 2025-08-12 | N/A | 7.1 HIGH | ||
| A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application. | |||||
| CVE-2025-3879 | 1 Hashicorp | 1 Vault | 2025-08-12 | N/A | 6.6 MEDIUM |
| Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. | |||||
| CVE-2025-54888 | 2025-08-11 | N/A | N/A | ||
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5. | |||||
| CVE-2025-5071 | 1 Meowapps | 1 Ai Engine | 2025-08-11 | N/A | 8.8 HIGH |
| The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments. | |||||
| CVE-2025-21450 | 1 Qualcomm | 216 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 213 more | 2025-08-11 | N/A | 9.1 CRITICAL |
| Cryptographic issue occurs due to use of insecure connection method while downloading. | |||||
| CVE-2025-26526 | 1 Moodle | 1 Moodle | 2025-08-08 | N/A | 6.5 MEDIUM |
| Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. | |||||
| CVE-2025-0765 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses. | |||||
| CVE-2025-0652 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. | |||||
| CVE-2025-8533 | 2025-08-07 | N/A | N/A | ||
| A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16. | |||||
| CVE-2025-55077 | 2025-08-07 | N/A | 7.4 HIGH | ||
| Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the privileges of the authenticated user. Tyler Technologies deployed hardened remote Windows environment settings to all ERP Pro 9 SaaS customer environments as of 2025-08-01. | |||||
| CVE-2024-31409 | 1 Cyberpower | 1 Powerpanel | 2025-08-07 | N/A | 6.5 MEDIUM |
| Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device. | |||||
| CVE-2025-26531 | 1 Moodle | 1 Moodle | 2025-08-07 | N/A | 3.1 LOW |
| Insufficient capability checks made it possible to disable badges a user does not have permission to access. | |||||