Total
4191 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62376 | 2026-06-17 | N/A | N/A | ||
| pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to access any active Windows VM without proper authorization. The vulnerability occurs in the view_desktop function where the user is retrieved via a URL parameter without verifying that the requester has administrative privileges. An attacker can supply any user ID and arbitrary password in the request parameters to impersonate another user. When requesting a Windows desktop service, the function does not validate the supplied password before generating access credentials, allowing the attacker to obtain an iframe source URL that grants full access to the target user's Windows VM. This impacts all users with active Windows VMs, as an attacker can access and modify data on the Windows machine and in the home directory of the associated Linux machine via the Z: drive. This issue has been patched in commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef. No known workarounds exist. | |||||
| CVE-2025-62349 | 2026-06-17 | N/A | 6.2 MEDIUM | ||
| Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. | |||||
| CVE-2025-62169 | 2026-06-17 | N/A | 8.1 HIGH | ||
| OctoPrint-SpoolManager is a plugin for managing spools and all their usage metadata. In versions 1.8.0a2 and older of the testing branch and versions 1.7.7 and older of the stable branch, the APIs of the OctoPrint-SpoolManager plugin do not correctly enforce authentication or authorization checks. This issue has been patched in versions 1.8.0a3 of the testing branch and 1.7.8 of the stable branch. The impact of this vulnerability is greatly reduced when using OctoPrint version 1.11.2 and newer. | |||||
| CVE-2025-61922 | 1 Prestashop | 1 Prestashop Checkout | 2026-06-17 | N/A | 9.1 CRITICAL |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-61884 | 1 Oracle | 1 Configurator | 2026-06-17 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2025-61882 | 1 Oracle | 1 Concurrent Processing | 2026-06-17 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-61679 | 2026-06-17 | N/A | 7.7 HIGH | ||
| Anyquery is an SQL query engine built on top of SQLite. Versions 0.4.3 and below allow attackers who have already gained access to localhost, even with low privileges, to use the http server through the port unauthenticated, and access private integration data like emails, without any warning of a foreign login from the provider. This issue is fixed in version 0.4.4. | |||||
| CVE-2025-61665 | 1 Wegia | 1 Wegia | 2026-06-17 | N/A | 7.5 HIGH |
| WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Broken Access Control vulnerability, identified in the get_relatorios_socios.php endpoint. This vulnerability allows unauthenticated attackers to directly access sensitive personal and financial information of members without requiring authentication or authorization. This issue is fixed in version 3.5.0. | |||||
| CVE-2025-60772 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. | |||||
| CVE-2025-60534 | 1 Blueaccesstech | 1 Cobalt X1 | 2026-06-17 | N/A | 9.8 CRITICAL |
| Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. | |||||
| CVE-2025-60424 | 1 Nagios | 1 Fusion | 2026-06-17 | N/A | 7.6 HIGH |
| A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack. | |||||
| CVE-2025-60306 | 1 Code-projects | 1 Simple Car Rental System | 2026-06-17 | N/A | 9.9 CRITICAL |
| code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. | |||||
| CVE-2025-5985 | 1 Fabian | 1 School Fees Payment System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects School Fees Payment System 1.0 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to improper authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5906 | 1 Code-projects | 1 Laundry System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in code-projects Laundry System 1.0. This affects an unknown part of the file /data/. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5876 | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Lucky LM-520-SC, LM-520-FSC and LM-520-FSC-SAM up to 20250321. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5872 | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in eGauge EG3000 Energy Monitor 3.6.3. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to missing authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5871 | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Papendorf SOL Connect Center 3.3.0.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5870 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in TRENDnet TV-IP121W 1.1.1 Build 36 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/setup.cgi of the component Web Interface. The manipulation leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5597 | 2026-06-17 | N/A | N/A | ||
| Improper Authentication vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Authentication Bypass.This issue affects airleader MASTER: 3.00571. | |||||
| CVE-2025-5512 | 1 Quequnlong | 1 Shiyi-blog | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in quequnlong shiyi-blog up to 1.2.1. Affected is an unknown function of the file /api/sys/user/verifyPassword/ of the component Administrator Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
