Total
24 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-35638 | 1 Openclaw | 1 Openclaw | 2026-04-15 | N/A | 8.8 HIGH |
| OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements. | |||||
| CVE-2022-35503 | 2026-04-15 | N/A | 7.5 HIGH | ||
| Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself. | |||||
| CVE-2024-48853 | 2026-04-15 | N/A | 9.0 CRITICAL | ||
| An escalation of privilege vulnerability in ASPECT could provide an attacker root access to a server when logged in as a "non" root ASPECT user. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. | |||||
| CVE-2021-26262 | 1 Philips | 4 Mri 1.5t, Mri 1.5t Firmware, Mri 3t and 1 more | 2026-04-02 | 5.0 MEDIUM | 5.5 MEDIUM |
| Philips MRI 1.5T and MRI 3T Version 5.3 through 5.8.1 does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | |||||
| CVE-2025-64725 | 1 Weblate | 1 Weblate | 2025-12-18 | N/A | 9.8 CRITICAL |
| Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | |||||
| CVE-2025-63563 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | N/A | 6.5 MEDIUM |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password. | |||||
| CVE-2025-7972 | 1 Rockwellautomation | 1 Factorytalk Linx | 2025-10-29 | N/A | 9.1 CRITICAL |
| A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers. | |||||
| CVE-2025-59943 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-10-10 | N/A | 8.1 HIGH |
| phpMyFAQ is an open source FAQ web application. Versions 4.0-nightly-2025-10-03 and below do not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. This issue is fixed in version 4.0.13. | |||||
| CVE-2024-9312 | 1 Canonical | 1 Authd | 2025-08-26 | N/A | 7.5 HIGH |
| Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. | |||||
| CVE-2024-6356 | 1 Gitlab | 1 Gitlab | 2025-08-06 | N/A | 4.4 MEDIUM |
| An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot. | |||||
| CVE-2024-13041 | 1 Gitlab | 1 Gitlab | 2025-08-05 | N/A | 4.2 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. When a user is created via the SAML provider, the external groups setting overrides the external provider configuration. As a result, the user may not be marked as external thereby giving those users access to internal projects or groups. | |||||
| CVE-2024-58105 | 1 Trendmicro | 1 Apex One | 2025-08-01 | N/A | 7.3 HIGH |
| A vulnerability in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations. This CVE address an addtional bypass not covered in CVE-2024-58104. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2024-27269 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2025-07-25 | N/A | 6.8 MEDIUM |
| IBM QRadar SIEM 7.5 could allow a privileged user to configure user management that would disclose unintended sensitive information across tenants. IBM X-Force ID: 284575. | |||||
| CVE-2024-46671 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 6.2 MEDIUM |
| An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. | |||||
| CVE-2024-52359 | 1 Ibm | 1 Concert | 2025-07-18 | N/A | 4.3 MEDIUM |
| IBM Concert Software 1.0.0, 1.0.1, 1.0.2, and 1.0.2.1 could allow an authenticated user to perform unauthorized actions that should be reserved to administrator used due to improper access controls. | |||||
| CVE-2024-29296 | 1 Portainer | 1 Portainer | 2025-06-05 | N/A | 5.3 MEDIUM |
| A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | |||||
| CVE-2023-3907 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 4.9 MEDIUM |
| A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner | |||||
| CVE-2023-26689 | 1 Cs-cart | 1 Cs-cart Multivendor | 2025-04-24 | N/A | 9.8 CRITICAL |
| An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request. | |||||
| CVE-2024-45425 | 2025-02-25 | N/A | 4.9 MEDIUM | ||
| Incorrect user management in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access. | |||||
| CVE-2024-28020 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | N/A | 8.0 HIGH |
| A user/password reuse vulnerability exists in the FOXMAN-UN/UNEM application and server management. If exploited a malicious high-privileged user could use the passwords and login information through complex routines to extend access on the server and other services. | |||||