Total
4201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38139 | 1 Microsoft | 1 Dataverse | 2026-06-17 | N/A | 8.7 HIGH |
| Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2024-38124 | 1 Microsoft | 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more | 2026-06-17 | N/A | 9.0 CRITICAL |
| Windows Netlogon Elevation of Privilege Vulnerability | |||||
| CVE-2024-38099 | 1 Microsoft | 6 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 3 more | 2026-06-17 | N/A | 5.9 MEDIUM |
| Windows Remote Desktop Licensing Service Denial of Service Vulnerability | |||||
| CVE-2024-37897 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability. | |||||
| CVE-2024-37893 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | |||||
| CVE-2024-37408 | 2026-06-17 | N/A | 7.3 HIGH | ||
| fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo. NOTE: the supplier disputes this because they believe issue resolution would involve modifying the PAM configuration to restrict pam_fprintd.so to front-ends that implement a proper attention mechanism, not modifying pam_fprintd.so or fprintd. | |||||
| CVE-2024-37368 | 1 Rockwellautomation | 1 Factorytalk View | 2026-06-17 | N/A | 7.5 HIGH |
| A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification. | |||||
| CVE-2024-37367 | 1 Rockwellautomation | 1 Factorytalk View | 2026-06-17 | N/A | 7.5 HIGH |
| A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE v12. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification. | |||||
| CVE-2024-37313 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-17 | N/A | 7.3 HIGH |
| Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. | |||||
| CVE-2024-37233 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4. | |||||
| CVE-2024-37152 | 1 Argoproj | 1 Argo Cd | 2026-06-17 | N/A | 5.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. | |||||
| CVE-2024-37085 | 1 Vmware | 2 Cloud Foundation, Esxi | 2026-06-17 | N/A | 6.8 MEDIUM |
| VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | |||||
| CVE-2024-37028 | 1 F5 | 1 Big-ip Next Central Manager | 2026-06-17 | N/A | 5.3 MEDIUM |
| BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2024-37019 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication. | |||||
| CVE-2024-36444 | 2026-06-17 | N/A | 8.1 HIGH | ||
| cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs. | |||||
| CVE-2024-36402 | 1 T2bot | 1 Matrix-media-repo | 2026-06-17 | N/A | 5.3 MEDIUM |
| Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. MMR 1.3.5 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. Though extremely limited, server operators can use more strict rate limits based on IP address as a partial workaround. | |||||
| CVE-2024-36266 | 1 Siemens | 1 Powersys | 2026-06-17 | N/A | 9.3 CRITICAL |
| A vulnerability has been identified in PowerSys (All versions < V3.11). The affected application insufficiently protects responses to authentication requests. This could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices. | |||||
| CVE-2024-36264 | 1 Apache | 1 Submarine | 2026-06-17 | N/A | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-36132 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-06-17 | N/A | 7.5 HIGH |
| Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources. | |||||
| CVE-2024-36130 | 1 Ivanti | 1 Endpoint Manager Mobile | 2026-06-17 | N/A | 9.8 CRITICAL |
| An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance. | |||||
