Total
4355 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54871 | 1 Electroncapture | 1 Electron Capture | 2026-06-17 | N/A | 5.5 MEDIUM |
| Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0. | |||||
| CVE-2025-54786 | 1 Salesagility | 1 Suitecrm | 2026-06-17 | N/A | 5.3 MEDIUM |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1. | |||||
| CVE-2025-54603 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | |||||
| CVE-2025-54599 | 1 Bevy | 1 Events And Groups | 2026-06-17 | N/A | 7.5 HIGH |
| The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The root cause of the issue is SSO misconfiguration. | |||||
| CVE-2025-54591 | 1 Freshrss | 1 Freshrss | 2026-06-17 | N/A | 7.5 HIGH |
| FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make sure that every action requires access. If one doesn't, then every action has to check for access manually, and certain endpoints use neither the firstAction() method, or do they perform a manual access check. This issue is fixed in version 1.27.0. | |||||
| CVE-2025-54563 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 7.5 HIGH |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | |||||
| CVE-2025-54561 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | |||||
| CVE-2025-54397 | 1 Netwrix | 1 Directory Manager | 2026-06-17 | N/A | 4.3 MEDIUM |
| Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. | |||||
| CVE-2025-54391 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The attacker can configure an additional 2FA method (either a third-party authenticator app or email-based 2FA) without presenting a valid authentication token or proving access to an already configured 2FA method. This bypasses 2FA and results in unauthorized access to accounts that are otherwise protected by 2FA. | |||||
| CVE-2025-54343 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 9.6 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-54339 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 10.0 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-54338 | 1 Desktopalert | 1 Pingalert Application Server | 2026-06-17 | N/A | 7.5 HIGH |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | |||||
| CVE-2025-54116 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2026-06-17 | N/A | 7.3 HIGH |
| Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-54098 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-53791 | 1 Microsoft | 1 Edge Chromium | 2026-06-17 | N/A | 4.7 MEDIUM |
| Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | |||||
| CVE-2025-53763 | 1 Microsoft | 1 Purview Data Governance | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-53729 | 1 Microsoft | 1 Azure File Sync | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-53501 | 2 Mediawiki, Xtex | 2 Mediawiki, Scribunto | 2026-06-17 | N/A | 8.8 HIGH |
| Improper Access Control vulnerability in Wikimedia Foundation Mediawiki - Scribunto Extension allows : Accessing Functionality Not Properly Constrained by Authorization.This issue affects Mediawiki - Scribunto Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | |||||
| CVE-2025-53360 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3. | |||||
| CVE-2025-53113 | 1 Glpi-project | 1 Glpi | 2026-06-17 | N/A | 2.7 LOW |
| GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. | |||||