Total
4157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-45608 | 1 Zykzhangyukang | 1 Xinguan | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload. | |||||
| CVE-2025-45584 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication. | |||||
| CVE-2025-45424 | 1 Xinference | 1 Xinference | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in Xinference before v1.4.0 allows attackers to access the Web GUI without authentication. | |||||
| CVE-2025-45343 | 1 Tenda | 2 W18e, W18e Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue in Tenda W18E v.2.0 v.16.01.0.11 allows an attacker to execute arbitrary code via the editing functionality of the account module in the goform/setmodules route. | |||||
| CVE-2025-45237 | 1 Dbsyncer Project | 1 Dbsyncer | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. | |||||
| CVE-2025-45157 | 1 Splashin | 1 Splashin | 2026-06-17 | N/A | 6.5 MEDIUM |
| Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users. | |||||
| CVE-2025-45095 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Lavasoft Web Companion (also known as Ad-Aware WebCompanion) versions 8.9.0.1091 through 12.1.3.1037 installs the DCIService.exe service with an unquoted service path vulnerability. An attacker with write access to the file system could potentially execute arbitrary code with elevated privileges by placing a malicious executable in the unquoted path. | |||||
| CVE-2025-45083 | 2026-06-17 | N/A | 6.1 MEDIUM | ||
| Incorrect access control in Ullu (Android version v2.9.929 and IOS version v2.8.0) allows attackers to bypass parental pin feature via unspecified vectors. | |||||
| CVE-2025-45081 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data. | |||||
| CVE-2025-44657 | 1 Linksys | 2 Ea6350, Ea6350 Firmware | 2026-06-17 | N/A | 3.9 LOW |
| In Linksys EA6350 V2.1.2, the chroot_local_user option is enabled in the dynamically generated vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | |||||
| CVE-2025-44654 | 1 Linksys | 2 E2500, E2500 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | |||||
| CVE-2025-44619 | 1 Tinxy | 2 Wifi Lock Controller V1 Rf, Wifi Lock Controller V1 Rf Firmware | 2026-06-17 | N/A | 9.1 CRITICAL |
| Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. | |||||
| CVE-2025-44526 | 1 Realtek | 2 Rtl8762e Software Development Kit, Rtl8762ekf-evb | 2026-06-17 | N/A | 6.5 MEDIUM |
| Realtek RTL8762EKF-EVB RTL8762E SDK V1.4.0 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | |||||
| CVE-2025-44525 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Texas Instruments CC2652RB LaunchPad SimpleLink CC13XX CC26XX SDK 7.41.00.17 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | |||||
| CVE-2025-44178 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| DASAN GPON ONU H660WM H660WMR210825 is susceptible to improper access control under its default settings. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information and modify its configuration via the UPnP protocol WAN sides without any authentication. | |||||
| CVE-2025-43980 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN. They enable the SSH service by default with the credentials of root/admin. The GUI doesn't offer a way to disable the account. | |||||
| CVE-2025-43947 | 1 Codemers | 1 Klims | 2026-06-17 | N/A | 7.3 HIGH |
| Codemers KLIMS 1.6.DEV lacks a proper access control mechanism, allowing a normal KLIMS user to perform all the actions that an admin can perform, such as modifying the configuration, creating a user, uploading files, etc. | |||||
| CVE-2025-43862 | 1 Langgenius | 1 Dify | 2026-06-17 | N/A | 7.6 HIGH |
| Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control flaw allows non-admin users to make unauthorized access and changes on the APPSs. This issue has been patched in version 0.6.12. A workaround for this vulnerability involves updating the the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can access Orchestration of the APPs. | |||||
| CVE-2025-43712 | 2026-06-17 | N/A | 2.9 LOW | ||
| JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application). | |||||
| CVE-2025-43586 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2026-06-17 | N/A | 8.1 HIGH |
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction. | |||||