Total
572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-30373 | 1 Graylog | 1 Graylog | 2025-10-30 | N/A | 6.5 MEDIUM |
| Graylog is a free and open log management platform. Starting with 6.1, HTTP Inputs can be configured to check if a specified header is present and has a specified value to authenticate HTTP-based ingestion. Unfortunately, even though in cases of a missing header or a wrong value the correct HTTP response (401) is returned, the message will be ingested nonetheless. To mitigate the vulnerability, disable http-based inputs and allow only authenticated pull-based inputs. This vulnerability is fixed in 6.1.9. | |||||
| CVE-2024-47876 | 1 Sakailms | 1 Sakai | 2025-10-30 | N/A | 8.8 HIGH |
| Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. | |||||
| CVE-2025-53106 | 1 Graylog | 1 Graylog | 2025-10-30 | N/A | 8.8 HIGH |
| Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens". | |||||
| CVE-2025-12304 | 2025-10-30 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the component Order Status Handler. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-12288 | 2025-10-30 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10759 | 1 Webkul | 1 Qloapps | 2025-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorization bypass. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "As We are already aware about this vulnerability and our Internal team are already working on this issue. (...) We'll implement the fix for this vulnerability in our next major release." | |||||
| CVE-2025-59686 | 2025-10-28 | N/A | 6.5 MEDIUM | ||
| Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id. | |||||
| CVE-2025-22175 | 1 Atlassian | 1 Jira Align | 2025-10-27 | N/A | 5.4 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist. | |||||
| CVE-2025-10902 | 2025-10-27 | N/A | 4.3 MEDIUM | ||
| The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data. | |||||
| CVE-2025-11244 | 2025-10-27 | N/A | 3.7 LOW | ||
| The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers. | |||||
| CVE-2025-6639 | 2025-10-27 | N/A | 5.4 MEDIUM | ||
| The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students. | |||||
| CVE-2025-11879 | 2025-10-27 | N/A | 6.5 MEDIUM | ||
| The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins. | |||||
| CVE-2025-12005 | 2025-10-27 | N/A | 4.3 MEDIUM | ||
| The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options. | |||||
| CVE-2025-22168 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist. | |||||
| CVE-2025-22169 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 5.4 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level. | |||||
| CVE-2025-22171 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users. | |||||
| CVE-2025-22170 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action. | |||||
| CVE-2025-22172 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission. | |||||
| CVE-2025-22173 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission. | |||||
| CVE-2025-22174 | 1 Atlassian | 1 Jira Align | 2025-10-24 | N/A | 4.3 MEDIUM |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission. | |||||