Total
3042 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61760 | 1 Oracle | 1 Vm Virtualbox | 2025-10-23 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.12 and 7.2.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2025-62290 | 1 Oracle | 1 Zfs Storage Appliance Kit | 2025-10-23 | N/A | 7.2 HIGH |
| Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Block Storage). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in takeover of Oracle ZFS Storage Appliance Kit. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2024-27348 | 1 Apache | 1 Hugegraph | 2025-10-23 | N/A | 9.8 CRITICAL |
| RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. | |||||
| CVE-2025-24916 | 2 Microsoft, Tenable | 2 Windows, Nessus Network Monitor | 2025-10-23 | N/A | 7.0 HIGH |
| When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. | |||||
| CVE-2025-24917 | 2 Microsoft, Tenable | 2 Windows, Nessus Network Monitor | 2025-10-23 | N/A | 7.8 HIGH |
| In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM privileges, potentially leading to local privilege escalation. | |||||
| CVE-2025-58055 | 1 Discourse | 1 Discourse | 2025-10-23 | N/A | 4.3 MEDIUM |
| Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |||||
| CVE-2024-20767 | 1 Adobe | 1 Coldfusion | 2025-10-23 | N/A | 7.4 HIGH |
| ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet. | |||||
| CVE-2023-26360 | 1 Adobe | 1 Coldfusion | 2025-10-23 | N/A | 8.6 HIGH |
| Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-59494 | 1 Microsoft | 1 Azure Monitor Agent | 2025-10-22 | N/A | 7.8 HIGH |
| Improper access control in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-60427 | 2025-10-22 | N/A | 6.5 MEDIUM | ||
| LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of station-wide metrics. This results in information disclosure to less privileged users. | |||||
| CVE-2025-25734 | 1 Kapsch | 4 Ris-9160, Ris-9160 Firmware, Ris-9260 and 1 more | 2025-10-22 | N/A | 6.8 MEDIUM |
| Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 was discovered to contain an unauthenticated EFI shell which allows attackers to execute arbitrary code or escalate privileges during the boot process. | |||||
| CVE-2014-3120 | 1 Elasticsearch | 1 Elasticsearch | 2025-10-22 | 6.8 MEDIUM | 8.1 HIGH |
| The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. | |||||
| CVE-2013-2423 | 3 Canonical, Opensuse, Oracle | 3 Ubuntu Linux, Opensuse, Jre | 2025-10-22 | 4.3 MEDIUM | 3.7 LOW |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager. | |||||
| CVE-2013-0422 | 3 Canonical, Opensuse, Oracle | 4 Ubuntu Linux, Opensuse, Jdk and 1 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. | |||||
| CVE-2012-5076 | 2 Oracle, Suse | 2 Jre, Linux Enterprise Desktop | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS. | |||||
| CVE-2012-4681 | 2 Oracle, Redhat | 6 Jdk, Jre, Enterprise Linux Desktop and 3 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. | |||||
| CVE-2012-1723 | 2 Oracle, Redhat | 8 Jdk, Jre, Enterprise Linux Desktop and 5 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | |||||
| CVE-2011-3544 | 4 Canonical, Oracle, Redhat and 1 more | 6 Ubuntu Linux, Jdk, Jre and 3 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. | |||||
| CVE-2019-11634 | 1 Citrix | 2 Receiver, Workspace | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| Citrix Workspace App before 1904 for Windows has Incorrect Access Control. | |||||
| CVE-2016-3427 | 8 Apache, Canonical, Debian and 5 more | 38 Cassandra, Ubuntu Linux, Debian Linux and 35 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. | |||||