Total
909 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12435 | 1 Google | 2 Android, Chrome | 2025-11-13 | N/A | 5.4 MEDIUM |
| Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-62520 | 1 Mantisbt | 1 Mantisbt | 2025-11-10 | N/A | 4.3 MEDIUM |
| Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2. | |||||
| CVE-2025-55675 | 1 Apache | 1 Superset | 2025-11-04 | N/A | 6.5 MEDIUM |
| Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | |||||
| CVE-2023-40430 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. An app may be able to access removable volumes without user consent. | |||||
| CVE-2023-47166 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2025-11-04 | N/A | 8.8 HIGH |
| A firmware update vulnerability exists in the luci2-io file-import functionality of Milesight UR32L v32.3.0.7-r2. A specially crafted network request can lead to arbitrary firmware update. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2024-30260 | 2 Fedoraproject, Nodejs | 2 Fedora, Undici | 2025-11-04 | N/A | 3.9 LOW |
| Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. | |||||
| CVE-2024-21179 | 1 Oracle | 1 Mysql Server | 2025-11-04 | N/A | 4.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2024-21166 | 1 Oracle | 1 Mysql | 2025-11-04 | N/A | 5.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H). | |||||
| CVE-2024-21159 | 1 Oracle | 1 Mysql | 2025-11-04 | N/A | 4.9 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | |||||
| CVE-2025-31249 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 7.1 HIGH |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.5. An app may be able to access sensitive user data. | |||||
| CVE-2025-43231 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8. An app may be able to access user-sensitive data. | |||||
| CVE-2025-30373 | 1 Graylog | 1 Graylog | 2025-10-30 | N/A | 6.5 MEDIUM |
| Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9. | |||||
| CVE-2024-47876 | 1 Sakailms | 1 Sakai | 2025-10-30 | N/A | 8.8 HIGH |
| Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. | |||||
| CVE-2025-53106 | 1 Graylog | 1 Graylog | 2025-10-30 | N/A | 8.8 HIGH |
| Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens". | |||||
| CVE-2025-10759 | 1 Webkul | 1 Qloapps | 2025-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | |||||
| CVE-2025-22175 | 1 Atlassian | 1 Jira Align | 2025-10-27 | N/A | 5.4 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist. | |||||
| CVE-2025-22168 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist. | |||||
| CVE-2025-22169 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 5.4 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level. | |||||
| CVE-2025-22171 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users. | |||||
| CVE-2025-22170 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action. | |||||