Total
76 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-29991 | 2026-06-17 | N/A | 2.2 LOW | ||
| Yubico YubiKey 5.4.1 through 5.7.3 before 5.7.4 has an incorrect FIDO CTAP PIN/UV Auth Protocol Two implementation. It uses the signature length from CTAP PIN/UV Auth Protocol One, even when CTAP PIN/UV Auth Protocol Two was chosen, resulting in a partial signature verification. | |||||
| CVE-2025-27740 | 1 Microsoft | 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more | 2026-06-17 | N/A | 8.8 HIGH |
| Weak authentication in Windows Active Directory Certificate Services allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-26635 | 1 Microsoft | 8 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 5 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| Weak authentication in Windows Hello allows an authorized attacker to bypass a security feature over a network. | |||||
| CVE-2025-26343 | 1 Q-free | 1 Maxtime | 2026-06-17 | N/A | 8.1 HIGH |
| A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests. | |||||
| CVE-2025-24070 | 1 Microsoft | 2 Asp.net Core, Visual Studio 2022 | 2026-06-17 | N/A | 7.0 HIGH |
| Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-23058 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2026-06-17 | N/A | 8.8 HIGH |
| A vulnerability in the ClearPass Policy Manager web-based management interface allows a low-privileged (read-only) authenticated remote attacker to gain unauthorized access to data and the ability to execute functions that should be restricted to administrators only with read/write privileges. Successful exploitation could enable a low-privileged user to execute administrative functions leading to an escalation of privileges. | |||||
| CVE-2025-21552 | 1 Oracle | 1 Jd Edwards Enterpriseone Orchestrator | 2026-06-17 | N/A | 6.5 MEDIUM |
| Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of Oracle JD Edwards (component: E1 IOT Orchestrator Security). Supported versions that are affected are Prior to 9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Orchestrator accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2025-1727 | 2026-06-17 | N/A | 8.1 HIGH | ||
| The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems. | |||||
| CVE-2025-1387 | 1 Learningdigital | 1 Orca Hcm | 2026-06-17 | N/A | 9.8 CRITICAL |
| Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user. | |||||
| CVE-2025-1293 | 1 Hashicorp | 1 Hermes | 2026-06-17 | N/A | 8.2 HIGH |
| Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0. | |||||
| CVE-2025-15595 | 1 Jrsoftware | 1 Inno Setup | 2026-06-17 | N/A | 7.8 HIGH |
| Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions. | |||||
| CVE-2025-12871 | 1 Aenrich | 1 A\+hrd | 2026-06-17 | N/A | 9.8 CRITICAL |
| The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to craft administrator access tokens and use them to access the system with elevated privileges. | |||||
| CVE-2025-12870 | 1 Aenrich | 1 A\+hrd | 2026-06-17 | N/A | 9.8 CRITICAL |
| The a+HRD developed by aEnrich has an Authentication Abuse vulnerability, allowing unauthenticated remote attackers to send crafted packets to obtain administrator access tokens and use them to access the system with elevated privileges. | |||||
| CVE-2025-11084 | 2026-06-17 | N/A | N/A | ||
| A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled but not completed within a 7-day period. | |||||
| CVE-2025-0605 | 1 Gitlab | 1 Gitlab | 2026-06-17 | N/A | 4.6 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements. | |||||
| CVE-2024-8322 | 1 Ivanti | 1 Endpoint Manager | 2026-06-17 | N/A | 4.3 MEDIUM |
| Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. | |||||
| CVE-2024-6580 | 1 Nsoftware | 1 Ipworks Ssh | 2026-06-17 | N/A | 6.5 MEDIUM |
| The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an application calling the SFTPServer component must grant user access without verifying the SSH public key or certificate (which would most likely be a separate vulnerability in the calling application). IPWorks SSH versions 22.0.8945 and 24.0.8945 were released to address this condition by blocking all filesystem and network path requests for SSH public keys or certificates. | |||||
| CVE-2024-5891 | 1 Redhat | 1 Quay | 2026-06-17 | N/A | 4.2 MEDIUM |
| A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to. | |||||
| CVE-2024-54092 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 (All versions), Industrial Edge Device Kit - arm64 V1.18 (All versions), Industrial Edge Device Kit - arm64 V1.19 (All versions), Industrial Edge Device Kit - arm64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - arm64 V1.21 (All versions < V1.21.1-1), Industrial Edge Device Kit - x86-64 V1.17 (All versions), Industrial Edge Device Kit - x86-64 V1.18 (All versions), Industrial Edge Device Kit - x86-64 V1.19 (All versions), Industrial Edge Device Kit - x86-64 V1.20 (All versions < V1.20.2-1), Industrial Edge Device Kit - x86-64 V1.21 (All versions < V1.21.1-1), Industrial Edge Own Device (IEOD) (All versions < V1.21.1-1-a), Industrial Edge Virtual Device (All versions < V1.21.1-1-a), SCALANCE LPE9413 (6GK5998-3GS01-2AC2) (All versions < V2.1), SIMATIC IPC BX-39A Industrial Edge Device (All versions < V3.0), SIMATIC IPC BX-59A Industrial Edge Device (All versions < V3.0), SIMATIC IPC127E Industrial Edge Device (All versions < V3.0), SIMATIC IPC227E Industrial Edge Device (All versions < V3.0), SIMATIC IPC427E Industrial Edge Device (All versions < V3.0), SIMATIC IPC847E Industrial Edge Device (All versions < V3.0). Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation is currently or has previously been used and the attacker has learned the identity of a legitimate user. | |||||
| CVE-2024-52541 | 1 Dell | 784 Alienware M15 R6, Alienware M15 R6 Firmware, Alienware M15 R7 and 781 more | 2026-06-17 | N/A | 8.2 HIGH |
| Dell Client Platform BIOS contains a Weak Authentication vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | |||||