Total
4192 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-20160 | 2026-06-17 | N/A | 8.1 HIGH | ||
| A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass authentication. This vulnerability exists because the system does not properly check whether the required TACACS+ shared secret is configured. A machine-in-the-middle attacker could exploit this vulnerability by intercepting and reading unencrypted TACACS+ messages or impersonating the TACACS+ server and falsely accepting arbitrary authentication requests. A successful exploit could allow the attacker to view sensitive information in a TACACS+ message or bypass authentication and gain access to the affected device. | |||||
| CVE-2025-20083 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Improper authentication in the firmware for the Intel(R) Slim Bootloader may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2025-1880 | 1 I-drive | 4 I11, I11 Firmware, I12 and 1 more | 2026-06-17 | 1.2 LOW | 2.0 LOW |
| A vulnerability was found in i-Drive i11 and i12 up to 20250227. It has been classified as problematic. Affected is an unknown function of the component Device Pairing. The manipulation leads to authentication bypass by primary weakness. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life. | |||||
| CVE-2025-1723 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2026-06-17 | N/A | 8.1 HIGH |
| Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. | |||||
| CVE-2025-1475 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled. | |||||
| CVE-2025-1231 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 5.4 MEDIUM |
| Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality. | |||||
| CVE-2025-1104 | 1 Dlink | 2 Dhp-w310av, Dhp-w310av Firmware | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in D-Link DHP-W310AV 1.04 and classified as critical. This vulnerability affects unknown code. The manipulation leads to authentication bypass by spoofing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1044 | 1 Logsign | 1 Unified Secops Platform | 2026-06-17 | N/A | 9.8 CRITICAL |
| Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 443 by default. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25336. | |||||
| CVE-2025-1024 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 4.8 MEDIUM |
| A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application. | |||||
| CVE-2025-15586 | 2026-06-17 | N/A | N/A | ||
| OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password. | |||||
| CVE-2025-15581 | 2026-06-17 | N/A | N/A | ||
| Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access. | |||||
| CVE-2025-15484 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write access to store resources like products, coupons, and customers. | |||||
| CVE-2025-15458 | 1 1234n | 1 Minicms | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15457 | 1 1234n | 1 Minicms | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15456 | 1 1234n | 1 Minicms | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in bg5sbk MiniCMS up to 1.8. The affected element is an unknown function of the file /mc-admin/page-edit.php of the component Publish Page Handler. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15455 | 1 1234n | 1 Minicms | 2026-06-17 | 6.4 MEDIUM | 6.5 MEDIUM |
| A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. This manipulation causes improper authentication. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-15346 | 2026-06-17 | N/A | N/A | ||
| A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. | |||||
| CVE-2025-15224 | 1 Haxx | 1 Curl | 2026-06-17 | N/A | 3.1 LOW |
| When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | |||||
| CVE-2025-15135 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-15099 | 1 Sim | 1 Sim | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue. | |||||
