Total
2287 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10672 | 2026-06-17 | 6.8 MEDIUM | 7.8 HIGH | ||
| A vulnerability was found in whuan132 AIBattery up to 1.0.9. The affected element is an unknown function of the file AIBatteryHelper/XPC/BatteryXPCService.swift of the component com.collweb.AIBatteryHelper. The manipulation results in missing authentication. The attack requires a local approach. The exploit has been made public and could be used. | |||||
| CVE-2025-10452 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges. | |||||
| CVE-2025-10267 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| NUP Portal developed by NewType Infortech has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly upload files. If the attacker manages to bypass the file extension restrictions, they could upload a webshell and execute it on the server side. | |||||
| CVE-2025-10204 | 2026-06-17 | N/A | N/A | ||
| A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to change the administrator password without verifying login status or user permissions. | |||||
| CVE-2025-0896 | 1 Orthanc-server | 1 Orthanc | 2026-06-17 | N/A | 9.8 CRITICAL |
| Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker. | |||||
| CVE-2025-0456 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The airPASS from NetVision Information has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access the specific administrative functionality to retrieve * all accounts and passwords. | |||||
| CVE-2025-0355 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Missing Authentication for Critical Function vulnerability in NEC Corporation Aterm WG2600HS Ver.1.7.2 and earlier, WF1200CRS Ver.1.6.0 and earlier, WG1200CRS Ver.1.5.0 and earlier, GB1200PE Ver.1.3.0 and earlier, WG2600HP4 Ver.1.4.2 and earlier, WG2600HM4 Ver.1.4.2 and earlier, WG2600HS2 Ver.1.3.2 and earlier, WX3000HP Ver.2.4.2 and earlier and WX4200D5 Ver.1.2.4 and earlier allows a attacker to get a Wi-Fi password via the network. | |||||
| CVE-2025-0275 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2026-06-17 | N/A | 5.3 MEDIUM |
| HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions. | |||||
| CVE-2025-0274 | 1 Hcltech | 2 Bigfix Mobile, Bigfix Modern Client Management | 2026-06-17 | N/A | 5.3 MEDIUM |
| HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions. | |||||
| CVE-2025-0257 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-06-17 | N/A | 6.3 MEDIUM |
| HCL DevOps Deploy / HCL Launch could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service. | |||||
| CVE-2025-0256 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-06-17 | N/A | 4.3 MEDIUM |
| HCL DevOps Deploy / HCL Launch could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function. | |||||
| CVE-2025-0159 | 1 Ibm | 1 Storage Virtualize | 2026-06-17 | N/A | 9.1 CRITICAL |
| IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1, 8.6.3.0, 8.7.0.0 through 8.7.0.2, 8.7.1.0, 8.7.2.0 through 8.7.2.1) could allow a remote attacker to bypass RPCAdapter endpoint authentication by sending a specifically crafted HTTP request. | |||||
| CVE-2025-0132 | 2026-06-17 | N/A | N/A | ||
| A missing authentication vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an unauthenticated user to disable certain internal services on the Broker VM. The attacker must have network access to the Broker VM to exploit this issue. | |||||
| CVE-2025-0129 | 2026-06-17 | N/A | N/A | ||
| An improper exception check in Palo Alto Networks Prisma Access Browser allows a low privileged user to prevent Prisma Access Browser from applying it's Policy Rules. This enables the user to use Prisma Access Browser without any restrictions. | |||||
| CVE-2025-0108 | 1 Paloaltonetworks | 1 Pan-os | 2026-06-17 | N/A | 9.1 CRITICAL |
| An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software. | |||||
| CVE-2024-9984 | 1 Ragic | 1 Enterprise Cloud Database | 2026-06-17 | N/A | 9.8 CRITICAL |
| Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie. | |||||
| CVE-2024-9919 | 1 Lollms | 1 Lollms Web Ui | 2026-06-17 | N/A | 8.4 HIGH |
| A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication. | |||||
| CVE-2024-9861 | 1 Miniorange | 1 Otp Verification With Firebase | 2026-06-17 | N/A | 8.1 HIGH |
| The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user. | |||||
| CVE-2024-9658 | 1 Dasinfomedia | 1 School Management System | 2026-06-17 | N/A | 8.8 HIGH |
| The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email and password through the mj_smgt_update_user() and mj_smgt_add_admission() functions, along with a local file inclusion vulnerability. This makes it possible for authenticated attackers, with student-level access and above, to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account. This was escalated four months ago after no response to our initial outreach, yet it still vulnerable. | |||||
| CVE-2024-9644 | 1 Four-faith | 2 F3x36, F3x36 Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to an authentication bypass vulnerability in the administrative web server. Authentication is not enforced on some administrative functionality when using the "bapply.cgi" endpoint instead of the normal "apply.cgi" endpoint. A remote and unauthenticated can use this vulnerability to modify settings or chain with existing authenticated vulnerabilities. | |||||