Export limit exceeded: 10603 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10603 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7475 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2025-10-21 | 9.1 Critical |
| An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. | ||||
| CVE-2025-8886 | 1 Usta | 1 Aybs | 2025-10-21 | 6.7 Medium |
| Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2025-8887 | 1 Usta | 1 Aybs | 2025-10-21 | 6.1 Medium |
| Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2025-42939 | 1 Sap | 2 S/4hana, S4hana | 2025-10-21 | 4.3 Medium |
| SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability. | ||||
| CVE-2025-33182 | 1 Nvidia | 6 Jetson Agx Xavier, Jetson Linux, Jetson Tk1 and 3 more | 2025-10-21 | 7.6 High |
| NVIDIA Jetson Linux contains a vulnerability in UEFI, where improper authentication may allow a privileged user to cause corruption of the Linux Device Tree. A successful exploitation of this vulnerability might lead to data tampering, denial of service. | ||||
| CVE-2025-11340 | 1 Gitlab | 1 Gitlab | 2025-10-20 | 7.7 High |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. | ||||
| CVE-2022-20360 | 1 Google | 1 Android | 2025-10-20 | 6.2 Medium |
| In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228314987 | ||||
| CVE-2022-0363 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | ||||
| CVE-2022-0287 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog | ||||
| CVE-2022-1092 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | ||||
| CVE-2025-1214 | 1 Pihome | 1 Maxair | 2025-10-17 | 6.3 Medium |
| A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2042 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | 4.3 Medium |
| A vulnerability has been found in huang-yk student-manage 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3843 | 1 Panhainan | 1 Ds-java | 2025-10-15 | 4.3 Medium |
| A vulnerability was found in panhainan DS-Java 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-46544 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | 6.4 Medium |
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | ||||
| CVE-2024-6592 | 1 Watchguard | 2 Authentication Gateway, Single Sign-on Client | 2025-10-15 | 9.1 Critical |
| Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4. | ||||
| CVE-2024-45260 | 1 Gl-inet | 62 A1300, A1300 Firmware, Ar300m and 59 more | 2025-10-15 | 8 High |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it. | ||||
| CVE-2024-45261 | 1 Gl-inet | 62 A1300, A1300 Firmware, Ar300m and 59 more | 2025-10-15 | 8 High |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control. | ||||
| CVE-2025-21691 | 1 Linux | 1 Linux Kernel | 2025-10-15 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma). | ||||
| CVE-2025-1792 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-15 | 3.1 Low |
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. | ||||
| CVE-2025-3808 | 1 Zhenfeng13 | 1 My-bbs | 2025-10-15 | 4.3 Medium |
| A vulnerability has been found in zhenfeng13 My-BBS 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | ||||