Total
4342 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64669 | 1 Microsoft | 1 Windows Admin Center | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-64660 | 1 Microsoft | 1 Visual Studio Code | 2026-06-17 | N/A | 8.0 HIGH |
| Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-64516 | 1 Glpi-project | 1 Glpi | 2026-06-17 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. | |||||
| CVE-2025-64483 | 2026-06-17 | N/A | N/A | ||
| Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | |||||
| CVE-2025-64400 | 2026-06-17 | N/A | 4.1 MEDIUM | ||
| Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has `edit` on the enrollment-level user directory, but is missing a separate check that the enrollment editor has access (or belongs to) the organization that they are adding a user to. | |||||
| CVE-2025-64347 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Apollo Router Core is a configurable Rust graph router written to run a federated supergraph using Apollo Federation 2. Versions 1.61.12-rc.0 and below and 2.8.1-rc.0 allow unauthorized access to protected data through schema elements with access control directives (@authenticated, @requiresScopes, and @policy) that were renamed via @link imports. Router did not enforce renamed access control directives on schema elements (e.g. fields and types), allowing queries to bypass those element-level access controls. This issue is fixed in versions 1.61.12 and 2.8.1. | |||||
| CVE-2025-64110 | 1 Anysphere | 1 Cursor | 2026-06-17 | N/A | 7.5 HIGH |
| Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0. | |||||
| CVE-2025-64066 | 1 Primakon | 1 Project Contract Management | 2026-06-17 | N/A | 8.6 HIGH |
| Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | |||||
| CVE-2025-64064 | 1 Primakon | 1 Project Contract Management | 2026-06-17 | N/A | 8.8 HIGH |
| Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | |||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2026-06-17 | N/A | 9.8 CRITICAL |
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | |||||
| CVE-2025-63739 | 1 Rockoa | 1 Rockoa | 2026-06-17 | N/A | 4.3 MEDIUM |
| An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint. | |||||
| CVE-2025-63686 | 1 Guominjim | 1 Personmanage | 2026-06-17 | N/A | 6.5 MEDIUM |
| There is an arbitrary file download vulnerability in GuoMinJim PersonManage thru commit 5a02b1ab208feacf3a34fc123c9381162afbaa95 (2020-11-23) in the document query function under the Download Center menu in the PersonManage system. | |||||
| CVE-2025-63681 | 1 Openwebui | 1 Open Webui | 2026-06-17 | N/A | 4.3 MEDIUM |
| open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | |||||
| CVE-2025-63667 | 3 Asecam, Keview, Simicam | 6 Ip Camera, Ip Camera Firmware, Ip Camera and 3 more | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in SIMICAM v1.16.41-20250725, KEVIEW v1.14.92-20241120, ASECAM v1.14.10-20240725 allows attackers to access sensitive API endpoints without authentication. | |||||
| CVE-2025-63666 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources. | |||||
| CVE-2025-63664 | 1 Gtedge | 1 Gt Edge Ai | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the /api/v1/conversations/*/messages API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access other users' message history with AI agents. | |||||
| CVE-2025-63663 | 1 Gtedge | 1 Gt Edge Ai | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users' uploaded files. | |||||
| CVE-2025-63562 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2026-06-17 | N/A | 6.3 MEDIUM |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters (e.g., owner or resource id). | |||||
| CVE-2025-63525 | 1 Shridharshukl | 1 Blood Bank Management System | 2026-06-17 | N/A | 9.6 CRITICAL |
| An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. | |||||
| CVE-2025-63423 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 was discovered to store the Administrator password. | |||||