Total
4358 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48861 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps. | |||||
| CVE-2025-48860 | 2026-06-17 | N/A | 8.0 HIGH | ||
| A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to access sensitive data. | |||||
| CVE-2025-48817 | 1 Microsoft | 17 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 14 more | 2026-06-17 | N/A | 8.8 HIGH |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2025-48734 | 1 Apache | 1 Commons Beanutils | 2026-06-17 | N/A | 8.8 HIGH |
| Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue. | |||||
| CVE-2025-48707 | 1 Stormshield | 1 Stormshield Network Security | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | |||||
| CVE-2025-48619 | 1 Google | 1 Android | 2026-06-17 | N/A | 8.4 HIGH |
| In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48025 | 1 Samsung | 20 Exynos 1280, Exynos 1280 Firmware, Exynos 1330 and 17 more | 2026-06-17 | N/A | 4.3 MEDIUM |
| In Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000, there is an improper access control vulnerability related to a log file. | |||||
| CVE-2025-47993 | 1 Microsoft | 3 Windows 11 24h2, Windows Server 2022 23h2, Windows Server 2025 | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47989 | 1 Microsoft | 1 Azure Connected Machine Agent | 2026-06-17 | N/A | 7.0 HIGH |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47962 | 1 Microsoft | 1 Windows Software Development Kit | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47884 | 1 Jenkins | 1 Openid Connect Provider | 2026-06-17 | N/A | 9.1 CRITICAL |
| In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services. | |||||
| CVE-2025-47794 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-17 | N/A | 2.6 LOW |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available. | |||||
| CVE-2025-47792 | 1 Nextcloud | 1 Desktop | 2026-06-17 | N/A | 5.0 MEDIUM |
| Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known workarounds are available. | |||||
| CVE-2025-47222 | 1 Keyfactor | 1 Signserver | 2026-06-17 | N/A | 6.5 MEDIUM |
| A class name enumeration was found in Keyfactor SignServer versions prior to 7.3.2. Setting any chosen class name to any of the properties requiring a class path and the provided class is not expected to return different errors if the class exists in deployment or not. This returns information about the classes loaded in the application or not to the clientside. | |||||
| CVE-2025-47221 | 1 Keyfactor | 1 Signserver | 2026-06-17 | N/A | 5.3 MEDIUM |
| An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2. The properties ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, ARCHIVETODISK_PATH_PATTERN can be set to any path, even ones that will point to files that already exist. This vulnerability gives a user with admin access the possibility to write files in arbitrary directories in the server file system and potentially overwrite files accessible by the local user JBoss. | |||||
| CVE-2025-47220 | 1 Keyfactor | 1 Signserver | 2026-06-17 | N/A | 5.3 MEDIUM |
| A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an admin user. In the case that the provided path points to an existing file, readable by the user running the application server, but is not a recognized image format, it will return this as an error to the clientside, confirming the existences of the file. | |||||
| CVE-2025-47179 | 1 Microsoft | 3 Configuration Manager 2403, Configuration Manager 2409, Configuration Manager 2503 | 2026-06-17 | N/A | 6.7 MEDIUM |
| Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47161 | 1 Microsoft | 1 Defender For Endpoint | 2026-06-17 | N/A | 7.8 HIGH |
| Improper access control in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-46889 | 1 Adobe | 1 Experience Manager | 2026-06-17 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized elevated access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-46816 | 2026-06-17 | N/A | 9.4 CRITICAL | ||
| goshs is a SimpleHTTPServer written in Go. Starting in version 0.3.4 and prior to version 1.0.5, running goshs without arguments makes it possible for anyone to execute commands on the server. The function `dispatchReadPump` does not checks the option cli `-c`, thus allowing anyone to execute arbitrary command through the use of websockets. Version 1.0.5 fixes the issue. | |||||