Total
3738 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-0663 | 1 Wso2 | 3 Identity Server, Identity Server As Key Manager, Open Banking Iam | 2025-10-06 | N/A | 6.8 MEDIUM |
| A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login feature is enabled by default, this flaw may allow an attacker to gain unauthorized access and potentially take over accounts in other tenants. Successful exploitation requires access to Adaptive Authentication functionality, which is typically restricted to high-privileged users. The vulnerability is only exploitable when Auto-Login is enabled, reducing its practical impact in deployments where the feature is disabled. | |||||
| CVE-2025-0672 | 1 Wso2 | 3 Identity Server, Identity Server As Key Manager, Open Banking Iam | 2025-10-03 | N/A | 3.3 LOW |
| An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication. | |||||
| CVE-2024-42462 | 1 Upkeeper | 1 Upkeeper Manager | 2025-10-03 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9. | |||||
| CVE-2025-6044 | 1 Google | 1 Chrome Os | 2025-10-03 | N/A | 6.1 MEDIUM |
| An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16238.64.0 on the garaged stylus devices allows a physical attacker to bypass the lock screen and access user files by removing the stylus while the device is closed and using the screen capture feature. | |||||
| CVE-2025-5512 | 1 Quequnlong | 1 Shiyi-blog | 2025-10-03 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in quequnlong shiyi-blog up to 1.2.1. Affected is an unknown function of the file /api/sys/user/verifyPassword/ of the component Administrator Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-41064 | 2025-10-02 | N/A | N/A | ||
| Incorrect authentication vulnerability in OpenSIAC, which could allow an attacker to impersonate a person using Cl@ve as an authentication method. | |||||
| CVE-2025-6505 | 2 Linux, Progress | 2 Linux Kernel, Hybrid Data Pipeline | 2025-10-02 | N/A | 8.1 HIGH |
| Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. | |||||
| CVE-2025-54918 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-02 | N/A | 8.8 HIGH |
| Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-6533 | 1 Xxyopen | 1 Novel-plus | 2025-10-01 | 5.1 MEDIUM | 5.6 MEDIUM |
| A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-47790 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-30 | N/A | 6.4 MEDIUM |
| Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions. | |||||
| CVE-2025-1723 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-09-30 | N/A | 8.1 HIGH |
| Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. | |||||
| CVE-2025-11130 | 2025-09-29 | 7.2 HIGH | 8.4 HIGH | ||
| A weakness has been identified in iHongRen pptp-vpn 1.0/1.0.1 on macOS. This issue affects the function shouldAcceptNewConnection of the file HelpTool/HelperTool.m of the component XPC Service. This manipulation causes missing authentication. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59934 | 2025-09-29 | N/A | 9.4 CRITICAL | ||
| Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs (jwt.decode) without verifying their signatures. Both the email verification token login path and the password reset server action use the same validator, which does not check the token’s signature, expiration, issuer, or audience. If an attacker learns the victim’s actual user.id, they can craft an arbitrary JWT with an alg: "none" header and use it to authenticate and reset the victim’s password. This issue has been patched in version 4.0.1. | |||||
| CVE-2025-56752 | 1 Ruijie | 40 Rg-es205gc, Rg-es205gc-p, Rg-es205gc-p Firmware and 37 more | 2025-09-29 | N/A | 9.4 CRITICAL |
| A vulnerability in the Ruijie RG-ES series switch firmware ESW_1.0(1)B1P39 enables remote attackers to fully bypass authentication mechanisms, providing them with unrestricted access to alter administrative settings and potentially seize control of affected devices via crafted HTTP POST request to /user.cgi. | |||||
| CVE-2024-27275 | 1 Ibm | 1 I | 2025-09-29 | N/A | 7.4 HIGH |
| IBM i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability caused by an insufficient authority requirement. A local user without administrator privilege can configure a physical file trigger to execute with the privileges of a user socially engineered to access the target file. The correction is to require administrator privilege to configure trigger support. | |||||
| CVE-2025-58443 | 1 Fogproject | 1 Fogproject | 2025-09-29 | N/A | 9.1 CRITICAL |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version. | |||||
| CVE-2024-9133 | 1 Arista | 1 Ng Firewall | 2025-09-29 | N/A | 6.6 MEDIUM |
| A user with administrator privileges is able to retrieve authentication tokens | |||||
| CVE-2025-31478 | 1 Zulip | 1 Zulip Server | 2025-09-27 | N/A | 8.2 HIGH |
| Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed. | |||||
| CVE-2024-36266 | 1 Siemens | 1 Powersys | 2025-09-26 | N/A | 9.3 CRITICAL |
| A vulnerability has been identified in PowerSys (All versions < V3.11). The affected application insufficiently protects responses to authentication requests. This could allow a local attacker to bypass authentication, thereby gaining administrative privileges for the managed remote devices. | |||||
| CVE-2024-37313 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-26 | N/A | 7.3 HIGH |
| Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. | |||||