Total
212 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-57295 | 1 H3c | 2 Magic Nx15, Magic Nx15 Firmware | 2025-10-03 | N/A | 8.0 HIGH |
| H3C devices running firmware version NX15V100R015 are vulnerable to unauthorized access due to insecure default credentials. The root user account has no password set, and the H3C user account uses the default password "admin," both stored in the /etc/shadow file. Attackers with network access can exploit these credentials to gain unauthorized root-level access to the device via the administrative interface or other network services, potentially leading to privilege escalation, information disclosure, or arbitrary code execution. | |||||
| CVE-2025-36222 | 1 Ibm | 3 Storage Fusion, Storage Fusion Hci, Storage Fusion Hci For Watsonx | 2025-10-02 | N/A | 8.7 HIGH |
| IBM Fusion 2.2.0 through 2.10.1, IBM Fusion HCI 2.2.0 through 2.10.0, and IBM Fusion HCI for watsonx 2.8.2 through 2.10.0 uses insecure default configurations that could expose AMQStreams without client authentication that could allow an attacker to perform unauthorized actions. | |||||
| CVE-2025-41245 | 2025-09-29 | N/A | 4.9 MEDIUM | ||
| VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations. | |||||
| CVE-2024-50390 | 1 Qnap | 1 Qurouter | 2025-09-24 | N/A | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.5.032 and later | |||||
| CVE-2025-43797 | 2025-09-16 | N/A | N/A | ||
| In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site. | |||||
| CVE-2025-41713 | 2025-09-15 | N/A | 6.5 MEDIUM | ||
| During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration. | |||||
| CVE-2025-59044 | 2025-09-11 | N/A | 4.4 MEDIUM | ||
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau 0.9.x derives numeric GIDs for Entra ID groups from the group display name when himmelblau.conf `id_attr_map = name` (the default configuration). Because Microsoft Entra ID allows multiple groups with the same `displayName` (including end-user–created personal/O365 groups, depending on tenant policy), distinct directory groups can collapse to the same numeric GID on Linux. This issue only applies to Himmelblau versions 0.9.0 through 0.9.22. Any resource or service on a Himmelblau-joined host that enforces authorization by numeric GID (files/dirs, etc.) can be unintentionally accessible to a user who creates or joins a different Entra/O365 group that happens to share the same `displayName` as a privileged security group. Users should upgrade to 0.9.23, or 1.0.0 or later, to receive a patch. Group to GID mapping now uses Entra ID object IDs (GUIDs) and does not collide on same-name groups. As a workaround, use tenant policy hardening to restrict arbitrary group creation until all hosts are patched. | |||||
| CVE-2025-32330 | 1 Google | 1 Android | 2025-09-08 | N/A | 5.7 MEDIUM |
| In generateRandomPassword of LocalBluetoothLeBroadcast.java, there is a possible way to intercept the Auracast audio stream due to an insecure default value. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-48733 | 3 Canonical, Debian, Tianocore | 3 Lxd, Debian Linux, Edk2 | 2025-08-26 | N/A | 6.7 MEDIUM |
| An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot. | |||||
| CVE-2025-7353 | 2025-08-15 | N/A | N/A | ||
| A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow. | |||||
| CVE-2017-12736 | 1 Siemens | 15 Ruggedcom, Ruggedcom Ros, Ruggedcom Rsl910 and 12 more | 2025-08-12 | 5.8 MEDIUM | 8.8 HIGH |
| After initial configuration, the Ruggedcom Discovery Protocol (RCDP) is still able to write to the device under certain conditions. This could allow an attacker located in the adjacent network of the targeted device to perform unauthorized administrative actions. | |||||
| CVE-2025-44647 | 1 Trendnet | 2 Tew-wlc100p, Tew-wlc100p Firmware | 2025-08-07 | N/A | 7.3 HIGH |
| In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to conduct offline attacks on the openly transmitted hash of the PSK. | |||||
| CVE-2025-27443 | 1 Zoom | 4 Meeting Software Development Kit, Rooms, Rooms Controller and 1 more | 2025-08-01 | N/A | 2.8 LOW |
| Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access. | |||||
| CVE-2025-54127 | 1 Psu | 1 Haxcms-nodejs | 2025-07-30 | N/A | 9.8 CRITICAL |
| HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. This is fixed in version 11.0.7. | |||||
| CVE-2025-22248 | 1 Broadcom | 2 Bitnami, Bitnami\/pgpool | 2025-07-18 | N/A | 7.5 HIGH |
| The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart. | |||||
| CVE-2025-27809 | 1 Arm | 1 Mbed Tls | 2025-07-17 | N/A | 5.4 MEDIUM |
| Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname. | |||||
| CVE-2025-29985 | 1 Dell | 1 Common Event Enabler | 2025-07-15 | N/A | 6.5 MEDIUM |
| Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Initialization of a Resource with an Insecure Default vulnerability in the Common Anti-Virus Agent (CAVA). An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | |||||
| CVE-2025-25271 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | N/A | 8.8 HIGH |
| An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface. | |||||
| CVE-2025-53602 | 2025-07-08 | N/A | 5.3 MEDIUM | ||
| Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. | |||||
| CVE-2025-41672 | 2025-07-08 | N/A | 10.0 CRITICAL | ||
| A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. | |||||