Total
2132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56114 | 1 Henkel | 1 Canlineapp | 2025-07-16 | N/A | 6.5 MEDIUM |
| Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have been able to successfully create audit templates from their account. | |||||
| CVE-2025-53836 | 2025-07-15 | N/A | 9.9 CRITICAL | ||
| XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled. | |||||
| CVE-2025-53895 | 2025-07-15 | N/A | N/A | ||
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | |||||
| CVE-2025-43564 | 1 Adobe | 1 Coldfusion | 2025-07-15 | N/A | 9.1 CRITICAL |
| ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed | |||||
| CVE-2025-26330 | 1 Dell | 1 Powerscale Onefs | 2025-07-15 | N/A | 7.0 HIGH |
| Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account. | |||||
| CVE-2025-6549 | 2025-07-15 | N/A | 6.5 MEDIUM | ||
| An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web). When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces. This issue affects Junos OS: * all versions before 21.4R3-S9, * 22.2 versions before 22.2R3-S5, * 22.4 versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2. | |||||
| CVE-2025-20999 | 1 Samsung | 1 Android | 2025-07-14 | N/A | 4.1 MEDIUM |
| Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password. | |||||
| CVE-2025-27427 | 1 Apache | 1 Activemq Artemis | 2025-07-14 | N/A | 4.3 MEDIUM |
| A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. This issue affects Apache ActiveMQ Artemis from 2.0.0 through 2.39.0. Users are recommended to upgrade to version 2.40.0 which fixes the issue. | |||||
| CVE-2024-10109 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-11 | N/A | 8.3 HIGH |
| A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats. | |||||
| CVE-2024-8116 | 1 Gitlab | 1 Gitlab | 2025-07-11 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names. | |||||
| CVE-2024-8650 | 1 Gitlab | 1 Gitlab | 2025-07-11 | N/A | 5.3 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests. | |||||
| CVE-2024-10043 | 1 Gitlab | 1 Gitlab | 2025-07-11 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure. | |||||
| CVE-2025-49536 | 1 Adobe | 1 Coldfusion | 2025-07-11 | N/A | 7.3 HIGH |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | |||||
| CVE-2025-48473 | 1 Freescout | 1 Freescout | 2025-07-11 | N/A | 4.3 MEDIUM |
| FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other mailboxes or from other conversations to which they do not have access (access restriction to conversations is implemented by the show_only_assigned_conversations setting, which is also not checked). This issue has been patched in version 1.8.179. | |||||
| CVE-2025-36578 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | N/A | 6.8 MEDIUM |
| Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | |||||
| CVE-2025-52918 | 2025-07-10 | N/A | 5.0 MEDIUM | ||
| Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces. | |||||
| CVE-2024-29821 | 1 Ivanti | 1 Desktop \& Server Management | 2025-07-10 | N/A | 7.8 HIGH |
| Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector. | |||||
| CVE-2024-29213 | 1 Ivanti | 1 Desktop \& Server Management | 2025-07-10 | N/A | 7.8 HIGH |
| Ivanti DSM < version 2024.2 allows authenticated users on the local machine to run code with elevated privileges due to insecure ACL via unspecified attack vector. | |||||
| CVE-2025-6702 | 1 Linlinjava | 1 Litemall | 2025-07-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3880 | 1 Opinionstage | 1 Poll\, Survey \& Quiz Maker | 2025-07-09 | N/A | 4.3 MEDIUM |
| The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected. | |||||