Total
3056 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-37140 | 2025-10-14 | N/A | 4.9 MEDIUM | ||
| Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits. | |||||
| CVE-2025-37137 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | |||||
| CVE-2025-37136 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | |||||
| CVE-2025-37135 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | |||||
| CVE-2025-48707 | 1 Stormshield | 1 Stormshield Network Security | 2025-10-14 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | |||||
| CVE-2025-10398 | 1 Fcba Zzm | 1 Smart Park Management System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-62159 | 2025-10-14 | N/A | N/A | ||
| External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`. | |||||
| CVE-2025-11655 | 2025-10-14 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0033 | 2025-10-14 | N/A | 6.0 MEDIUM | ||
| Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity. | |||||
| CVE-2025-58726 | 2025-10-14 | N/A | 7.5 HIGH | ||
| Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-54603 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | |||||
| CVE-2025-37143 | 2025-10-14 | N/A | 4.9 MEDIUM | ||
| An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious actor to download arbitrary files through carefully constructed exploits. | |||||
| CVE-2025-11354 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in code-projects Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/addslideexec.php. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. | |||||
| CVE-2024-28805 | 1 Italtel | 1 I-mcs Nfv | 2025-10-14 | N/A | 9.1 CRITICAL |
| An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. | |||||
| CVE-2024-25653 | 1 Delinea | 1 Secret Server | 2025-10-14 | N/A | 4.3 MEDIUM |
| Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. | |||||
| CVE-2025-23367 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly | 2025-10-14 | N/A | 6.5 MEDIUM |
| A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. | |||||
| CVE-2025-11347 | 1 Code-projects | 1 Crud Operation System | 2025-10-14 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Student Crud Operation up to 3.3. This vulnerability affects the function move_uploaded_file of the file add.php of the component Add Student Page/Edit Student Page. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-11508 | 1 Fabian | 1 Voting System | 2025-10-14 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-59422 | 1 Langgenius | 1 Dify | 2025-10-14 | N/A | 3.1 LOW |
| Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same workspace to read chat messages of other users. A regular user is able to read the query data and the filename of the admins and probably other users chats, if they know the conversation_id. This impacts the confidentiality of chats. This issue has been patched in version 1.9.0. | |||||
| CVE-2025-57438 | 1 2wcom | 2 Ip-4c, Ip-4c Firmware | 2025-10-10 | N/A | 6.8 MEDIUM |
| The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level user can bypass these controls by intercepting and modifying requests. | |||||