Total
909 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53944 | 1 Agpt | 1 Autogpt Platform | 2025-08-05 | N/A | 7.7 HIGH |
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API's get_graph_execution_results endpoint has an authorization bypass vulnerability. While it correctly validates user access to the graph_id, it fails to verify ownership of the graph_exec_id parameter, allowing authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. This is fixed in v0.6.16. | |||||
| CVE-2024-56320 | 1 Thoughtworks | 1 Gocd | 2025-08-01 | N/A | 8.8 HIGH |
| GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account. | |||||
| CVE-2025-54585 | 1 Finos | 1 Gitproxy | 2025-08-01 | N/A | 6.5 MEDIUM |
| GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2. | |||||
| CVE-2025-29778 | 1 Kyverno | 1 Kyverno | 2025-08-01 | N/A | 5.8 MEDIUM |
| Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signed by unexpected certificate. Deploying these unauthorized kubernetes resources can lead to full compromise of kubernetes cluster. Version 1.14.0-alpha.1 contains a patch for the issue. | |||||
| CVE-2020-3539 | 1 Cisco | 1 Prime Data Center Network Manager | 2025-07-31 | N/A | 6.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. The vulnerability is due to a failure to limit access to resources that are intended for users with Administrator privileges. An attacker could exploit this vulnerability by convincing a user to click a malicious URL. A successful exploit could allow a low-privileged attacker to list, view, create, edit, and delete templates in the same manner as a user with Administrator privileges.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2025-1007 | 1 Eclipse | 1 Open Vsx | 2025-07-31 | N/A | 5.3 MEDIUM |
| In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo. | |||||
| CVE-2025-50073 | 1 Oracle | 1 Weblogic Server | 2025-07-24 | N/A | 6.1 MEDIUM |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2025-2653 | 1 Qianfox | 1 Foxcms | 2025-07-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in FoxCMS 1.25 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12901 | 1 Qianfox | 1 Foxcms | 2025-07-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical was found in FoxCMS up to 1.2. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/Site.php of the component API Endpoint. The manipulation of the argument password leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-49701 | 1 Microsoft | 1 Sharepoint Server | 2025-07-15 | N/A | 8.8 HIGH |
| Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-2359 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-07-15 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in D-Link DIR-823G 1.0.2B05_20181207. Affected is the function SetDDNSSettings of the file /HNAP1/ of the component DDNS Service. The manipulation of the argument SOAPAction leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-2360 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2025-07-15 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in D-Link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is the function SetUpnpSettings of the file /HNAP1/ of the component UPnP Service. The manipulation of the argument SOAPAction leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-28131 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | N/A | 4.6 MEDIUM |
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | |||||
| CVE-2025-29794 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-09 | N/A | 8.8 HIGH |
| Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-20264 | 1 Cisco | 1 Identity Services Engine | 2025-07-08 | N/A | 6.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to insufficient authorization enforcement mechanisms for users created by SAML SSO integration with an external identity provider. An attacker could exploit this vulnerability by submitting a series of specific commands to an affected device. A successful exploit could allow the attacker to modify a limited number of system settings, including some that would result in a system restart. In single-node Cisco ISE deployments, devices that are not authenticated to the network will not be able to authenticate until the Cisco ISE system comes back online. | |||||
| CVE-2025-24053 | 1 Microsoft | 1 Dataverse | 2025-07-03 | N/A | 7.2 HIGH |
| Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-26683 | 1 Microsoft | 1 Azure Playwright | 2025-07-03 | N/A | 8.1 HIGH |
| Improper authorization in Azure Playwright allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-2528 | 1 Devolutions | 1 Remote Desktop Manager | 2025-07-02 | N/A | 3.6 LOW |
| Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a configuration different from the one mandated by the system administrators. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | |||||
| CVE-2018-14670 | 1 Clickhouse | 1 Clickhouse | 2025-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database. | |||||
| CVE-2025-27399 | 1 Joinmastodon | 1 Mastodon | 2025-06-24 | N/A | 5.3 MEDIUM |
| Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue. | |||||