Total
4355 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55694 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025 | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-55630 | 1 Reolink | 2 Smart 2k\+ Plug-in Wi-fi Video Doorbell With Chime, Smart 2k\+ Plug-in Wi-fi Video Doorbell With Chime Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate existing accounts. | |||||
| CVE-2025-55626 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage. | |||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | |||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2026-06-17 | N/A | 9.8 CRITICAL |
| Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | |||||
| CVE-2025-55373 | 1 Beakon | 1 Beakon | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in Beakon Application before v5.4.3 allows authenticated attackers with low-level privileges to escalate privileges and execute commands with Administrator rights. | |||||
| CVE-2025-55371 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method. | |||||
| CVE-2025-55368 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 8.8 HIGH |
| Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | |||||
| CVE-2025-55367 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | |||||
| CVE-2025-55366 | 1 Jishenghua | 1 Jsherp | 2026-06-17 | N/A | 5.3 MEDIUM |
| Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack. | |||||
| CVE-2025-55261 | 1 Hcltech | 1 Aftermarket Cloud | 2026-06-17 | N/A | 8.1 HIGH |
| HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data. | |||||
| CVE-2025-55244 | 1 Microsoft | 1 Azure Ai Bot Service | 2026-06-17 | N/A | 9.0 CRITICAL |
| Azure Bot Service Elevation of Privilege Vulnerability | |||||
| CVE-2025-55240 | 1 Microsoft | 3 Visual Studio 2017, Visual Studio 2019, Visual Studio 2022 | 2026-06-17 | N/A | 7.3 HIGH |
| Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-55238 | 1 Microsoft | 1 Dynamics 365 | 2026-06-17 | N/A | 7.5 HIGH |
| Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability | |||||
| CVE-2025-55196 | 2026-06-17 | N/A | N/A | ||
| External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster. This vulnerability has been patched in version 0.19.2. A workaround for this issue includes auditing and restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources. | |||||
| CVE-2025-55012 | 2026-06-17 | N/A | N/A | ||
| Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. | |||||
| CVE-2025-54970 | 1 Baesystems | 1 Socet Gxp | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service fails to authenticate requests. In some configurations, this may allow remote or local users to abort jobs or read information without the permissions of the job owner. | |||||
| CVE-2025-54968 | 1 Baesystems | 1 Socet Gxp | 2026-06-17 | N/A | 8.8 HIGH |
| An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Service does not require authentication. In some configurations, this may allow remote users to submit jobs, or local users to submit jobs that will execute with the permissions of other users. | |||||
| CVE-2025-54914 | 1 Microsoft | 1 Azure Networking | 2026-06-17 | N/A | 10.0 CRITICAL |
| Azure Networking Elevation of Privilege Vulnerability | |||||
| CVE-2025-54875 | 1 Freshrss | 1 Freshrss | 2026-06-17 | N/A | 9.8 CRITICAL |
| FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0. | |||||