Total
4342 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61119 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Kanova Android App version 1.0.27 (package name com.karelane), developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request parameters. Successful exploitation could result in privacy breaches, unauthorized group access, and misuse of the platform. | |||||
| CVE-2025-61118 | 2026-06-17 | N/A | 7.5 HIGH | ||
| mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data and groups. Successful exploitation could result in fake account creation, privacy breaches, and misuse of the platform. | |||||
| CVE-2025-61117 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform. | |||||
| CVE-2025-61116 | 2026-06-17 | N/A | 7.5 HIGH | ||
| AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be manipulated by attackers to gain unauthorized access to user accounts. Successful exploitation could result in account compromise, privacy breaches, and misuse of the platform. | |||||
| CVE-2025-61115 | 2026-06-17 | N/A | 7.5 HIGH | ||
| ABC Fine Wine & Spirits Android App version v.11.27.5 and before (package name com.cta.abcfinewineandspirits), developed by ABC Liquors, Inc., contains an improper access control vulnerability in its login mechanism. The application does not properly validate user passwords during authentication, allowing attackers to bypass login checks and obtain valid session identifiers. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform. | |||||
| CVE-2025-61114 | 2026-06-17 | N/A | 7.5 HIGH | ||
| 2nd Line Android App version v1.2.92 and before (package name com.mysecondline.app), developed by AutoBizLine, Inc., contains an improper access control vulnerability in its authentication mechanism. The server only validates the first character of the user_token, enabling attackers to brute force tokens and perform unauthorized queries on other user accounts. Successful exploitation could result in privacy breaches and unauthorized access to user data. | |||||
| CVE-2025-61113 | 2026-06-17 | N/A | 7.5 HIGH | ||
| TalkTalk 3.3.6 Android App contains improper access control vulnerabilities in multiple API endpoints. By modifying request parameters, attackers may obtain sensitive user information (such as device identifiers and birthdays) and access private group information, including join credentials. Successful exploitation may result in privacy breaches and unauthorized access to restricted resources. | |||||
| CVE-2025-60982 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| IDOR vulnerability in Educare ERP 1.0 (2025-04-22) allows unauthorized access to sensitive data via manipulated object references. Affected endpoints do not enforce proper authorization checks, allowing authenticated users to access or modify data belonging to other users by changing object identifiers in API requests. Attackers can exploit this flaw to view or modify sensitive records without proper authorization. | |||||
| CVE-2025-60876 | 1 Busybox | 1 Busybox | 2026-06-17 | N/A | 6.5 MEDIUM |
| BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | |||||
| CVE-2025-60865 | 1 Avanquest | 1 Pc Helpsoft Driver Updater | 2026-06-17 | N/A | 7.8 HIGH |
| Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. | |||||
| CVE-2025-60800 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | |||||
| CVE-2025-60799 | 1 Phppgadmin Project | 1 Phppgadmin | 2026-06-17 | N/A | 6.1 MEDIUM |
| phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. | |||||
| CVE-2025-60784 | 1 Xiaozhangbang | 1 Voluntary Like System | 2026-06-17 | N/A | 6.5 MEDIUM |
| A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts. | |||||
| CVE-2025-60705 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-60427 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of station-wide metrics. This results in information disclosure to less privileged users. | |||||
| CVE-2025-60354 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot. | |||||
| CVE-2025-60306 | 1 Code-projects | 1 Simple Car Rental System | 2026-06-17 | N/A | 9.9 CRITICAL |
| code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. | |||||
| CVE-2025-60305 | 1 Senior-walter | 1 Online Student Clearance System | 2026-06-17 | N/A | 8.8 HIGH |
| SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations. | |||||
| CVE-2025-60291 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in eTimeTrackLite Web thru 12.0 (20250704). There is a permission control flaw that allows unauthorized attackers to access specific routes and modify database connection configurations. | |||||
| CVE-2025-5962 | 2026-06-17 | N/A | 7.7 HIGH | ||
| A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering. | |||||