Total
4157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55366 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack. | |||||
| CVE-2025-55244 | 1 Microsoft | 1 Azure Ai Bot Service | 2026-06-17 | N/A | 9.0 CRITICAL |
| Azure Bot Service Elevation of Privilege Vulnerability | |||||
| CVE-2025-55240 | 1 Microsoft | 3 Visual Studio 2017, Visual Studio 2019, Visual Studio 2022 | 2026-06-17 | N/A | 7.3 HIGH |
| Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-55238 | 1 Microsoft | 1 Dynamics 365 | 2026-06-17 | N/A | 7.5 HIGH |
| Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability | |||||
| CVE-2025-55196 | 2026-06-17 | N/A | N/A | ||
| External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster. This vulnerability has been patched in version 0.19.2. A workaround for this issue includes auditing and restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources. | |||||
| CVE-2025-55012 | 2026-06-17 | N/A | N/A | ||
| Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. | |||||
| CVE-2025-54970 | 1 Baesystems | 1 Socet Gxp | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service fails to authenticate requests. In some configurations, this may allow remote or local users to abort jobs or read information without the permissions of the job owner. | |||||
| CVE-2025-54968 | 1 Baesystems | 1 Socet Gxp | 2026-06-17 | N/A | 8.8 HIGH |
| An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Service does not require authentication. In some configurations, this may allow remote users to submit jobs, or local users to submit jobs that will execute with the permissions of other users. | |||||
| CVE-2025-54914 | 1 Microsoft | 1 Azure Networking | 2026-06-17 | N/A | 10.0 CRITICAL |
| Azure Networking Elevation of Privilege Vulnerability | |||||
| CVE-2025-54875 | 1 Freshrss | 1 Freshrss | 2026-06-17 | N/A | 9.8 CRITICAL |
| FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0. | |||||
| CVE-2025-54871 | 1 Electroncapture | 1 Electron Capture | 2026-06-17 | N/A | 5.5 MEDIUM |
| Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0. | |||||
| CVE-2025-54786 | 1 Salesagility | 1 Suitecrm | 2026-06-17 | N/A | 5.3 MEDIUM |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1. | |||||
| CVE-2025-54603 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | |||||
| CVE-2025-54599 | 1 Bevy | 1 Events And Groups | 2026-06-17 | N/A | 7.5 HIGH |
| The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The root cause of the issue is SSO misconfiguration. | |||||
| CVE-2025-54591 | 1 Freshrss | 1 Freshrss | 2026-06-17 | N/A | 7.5 HIGH |
| FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make sure that every action requires access. If one doesn't, then every action has to check for access manually, and certain endpoints use neither the firstAction() method, or do they perform a manual access check. This issue is fixed in version 1.27.0. | |||||
| CVE-2025-54563 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 7.5 HIGH |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | |||||
| CVE-2025-54561 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | |||||
| CVE-2025-54397 | 1 Netwrix | 1 Directory Manager | 2026-06-17 | N/A | 4.3 MEDIUM |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. | |||||
| CVE-2025-54391 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA. | |||||
| CVE-2025-54343 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 9.6 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||