Total
4157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58726 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2026-06-17 | N/A | 7.5 HIGH |
| Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-58724 | 1 Microsoft | 1 Azure Connected Machine Agent | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-58714 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-58459 | 1 Jenkins | 1 Global Build Stats | 2026-06-17 | N/A | 4.3 MEDIUM |
| Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. | |||||
| CVE-2025-58337 | 1 Apache | 1 Doris Mcp Server | 2026-06-17 | N/A | 5.4 MEDIUM |
| An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix). | |||||
| CVE-2025-58055 | 1 Discourse | 1 Discourse | 2026-06-17 | N/A | 4.3 MEDIUM |
| Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |||||
| CVE-2025-57758 | 1 Contao | 1 Contao | 2026-06-17 | N/A | 4.3 MEDIUM |
| Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE. | |||||
| CVE-2025-57567 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | |||||
| CVE-2025-57489 | 1 Shirt-pocket | 1 Superduper\! | 2026-06-17 | N/A | 8.1 HIGH |
| Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | |||||
| CVE-2025-57438 | 1 2wcom | 2 Ip-4c, Ip-4c Firmware | 2026-06-17 | N/A | 6.8 MEDIUM |
| The 2wcom IP-4c 2.15.5 device suffers from a Broken Access Control vulnerability. Certain sensitive endpoints are intended to be accessible only after the admin explicitly grants access to a manager-level account. However, a manager-level user can bypass these controls by intercepting and modifying requests. | |||||
| CVE-2025-57428 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Default credentials in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to gain access to the debug shell exposed via Telnet on Port 23 and execute hardware-level flash and register manipulation commands. | |||||
| CVE-2025-57266 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/assistant/list endpoint. | |||||
| CVE-2025-57247 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| The BATBToken smart contract (address 0xfbf1388408670c02f0dbbb74251d8ded1d63b7a2, Compiler Version v0.8.26+commit.8a97fa7a) contains incorrect access control implementation in whitelist management functions. The setColdWhiteList() and setSpecialAddress() functions in the base ERC20 contract are declared as public without proper access control modifiers, allowing any user to bypass transfer restrictions and manipulate special address settings. This enables unauthorized users to circumvent cold time transfer restrictions and potentially disrupt dividend distribution mechanisms, leading to privilege escalation and violation of the contract's intended tokenomics. | |||||
| CVE-2025-57219 | 1 Tenda | 2 Ac10, Ac10 Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in the endpoint /goform/ate of Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 allows attackers to escalate privileges or access sensitive components via a crafted request. | |||||
| CVE-2025-57213 | 1 Fuyang Lipengjun | 1 Platform | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | |||||
| CVE-2025-57212 | 1 Fuyang Lipengjun | 1 Platform | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | |||||
| CVE-2025-57210 | 1 Fuyang Lipengjun | 1 Platform | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | |||||
| CVE-2025-57197 | 2026-06-17 | N/A | 6.0 MEDIUM | ||
| In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN verification check and directly modify the authentication PIN. This allows unauthorized users to change PIN without knowing the original/current PIN. | |||||
| CVE-2025-57130 | 1 Zwiicms | 1 Zwiicms | 2026-06-17 | N/A | 8.3 HIGH |
| An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges. By sending a specially crafted HTTP request, a low-privilege user can access and modify the profile data of any other user, including administrators. | |||||
| CVE-2025-56499 | 1 Metacubex | 1 Mihomo | 2026-06-17 | N/A | 6.5 MEDIUM |
| Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file. | |||||