Total
1983 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12847 | 1 Netgear | 2 Dgn1000, Dgn1000 Firmware | 2025-12-19 | N/A | 9.8 CRITICAL |
| NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC. | |||||
| CVE-2023-53771 | 1 Minidvblinux | 1 Minidvblinux | 2025-12-19 | N/A | 9.8 CRITICAL |
| MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials. | |||||
| CVE-2023-53773 | 1 Minidvblinux | 1 Minidvblinux | 2025-12-19 | N/A | 5.3 MEDIUM |
| MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication. | |||||
| CVE-2023-53774 | 1 Minidvblinux | 1 Minidvblinux | 2025-12-19 | N/A | 9.8 CRITICAL |
| MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely. | |||||
| CVE-2025-34434 | 1 Wwbn | 1 Avideo | 2025-12-19 | N/A | 9.1 CRITICAL |
| AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video. | |||||
| CVE-2025-65007 | 2025-12-19 | N/A | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-65010 | 2025-12-19 | N/A | N/A | ||
| WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-43428 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-12-18 | N/A | 9.8 CRITICAL |
| A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication. | |||||
| CVE-2020-36894 | 1 Eibiz | 1 I-media Server Digital Signage | 2025-12-17 | N/A | 7.5 HIGH |
| Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls. | |||||
| CVE-2020-36892 | 1 Eibiz | 1 I-media Server Digital Signage | 2025-12-17 | N/A | 9.8 CRITICAL |
| Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication. | |||||
| CVE-2025-59695 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2025-12-15 | N/A | 9.8 CRITICAL |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04. | |||||
| CVE-2025-59516 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-12-12 | N/A | 7.8 HIGH |
| Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-34331 | 1 Audiocodes | 2 Fax Server, Interactive Voice Response | 2025-12-12 | N/A | 7.5 HIGH |
| AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data. | |||||
| CVE-2021-47709 | 2025-12-12 | N/A | N/A | ||
| COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. Attackers can trigger a denial-of-service scenario by sending a malformed request to the setconf endpoint. | |||||
| CVE-2021-47710 | 2025-12-12 | N/A | N/A | ||
| COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. Attackers can access sensitive information, including login credentials and DVR settings, by submitting a GET request to this endpoint. | |||||
| CVE-2024-2104 | 2025-12-12 | N/A | 8.8 HIGH | ||
| Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | |||||
| CVE-2025-13607 | 2025-12-12 | N/A | 9.4 CRITICAL | ||
| A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. | |||||
| CVE-2025-12348 | 2025-12-12 | N/A | 5.3 MEDIUM | ||
| The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage. | |||||
| CVE-2024-58300 | 2025-12-12 | N/A | N/A | ||
| Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | |||||
| CVE-2025-67780 | 2025-12-12 | N/A | 4.2 MEDIUM | ||
| SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish. | |||||