Total
2370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31525 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Peppermint Ticket Management 0.4.6 is vulnerable to Incorrect Access Control. A regular registered user is able to elevate his privileges to admin and gain complete access to the system as the authorization mechanism is not validated on the server side and only on the client side. This can result, for example, in creating a new admin user in the system which enables persistent access for the attacker as an administrator. | |||||
| CVE-2024-2921 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific set of permissions. | |||||
| CVE-2024-2860 | 1 Broadcom | 1 Brocade Sannav | 2026-06-17 | N/A | 7.8 HIGH |
| The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw. An attacker accessing the VM where the Brocade SANnav is installed can gain access to sensitive data inside the PostgreSQL database. | |||||
| CVE-2024-2450 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 8.8 HIGH |
| Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. | |||||
| CVE-2024-2104 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | |||||
| CVE-2024-2013 | 1 Hitachienergy | 2 Foxman-un, Unem | 2026-06-17 | N/A | 10.0 CRITICAL |
| An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface. | |||||
| CVE-2024-27942 | 1 Siemens | 1 Ruggedcom Crossbow | 2026-06-17 | N/A | 7.5 HIGH |
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of service situation. | |||||
| CVE-2024-27892 | 2026-06-17 | N/A | 9.6 CRITICAL | ||
| Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch. | |||||
| CVE-2024-27890 | 2026-06-17 | N/A | 9.6 CRITICAL | ||
| Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch. | |||||
| CVE-2024-27758 | 2026-06-17 | N/A | 8.4 HIGH | ||
| In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution. | |||||
| CVE-2024-27169 | 2026-06-17 | N/A | 8.4 HIGH | ||
| Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-26519 | 2026-06-17 | N/A | 9.0 CRITICAL | ||
| An issue in Casa Systems NTC-221 version 2.0.99.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the /www/cgi-bin/nas.cgi component. | |||||
| CVE-2024-26263 | 1 Ebmtech | 1 Risweb | 2026-06-17 | N/A | 5.3 MEDIUM |
| EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login. | |||||
| CVE-2024-26235 | 1 Microsoft | 1 Windows Server 2022 23h2 | 2026-06-17 | N/A | 7.8 HIGH |
| Windows Update Stack Elevation of Privilege Vulnerability | |||||
| CVE-2024-26011 | 1 Fortinet | 6 Fortimanager, Fortios, Fortipam and 3 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets. | |||||
| CVE-2024-25618 | 1 Joinmastodon | 1 Mastodon | 2026-06-17 | N/A | 4.2 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-23943 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected. | |||||
| CVE-2024-23917 | 1 Jetbrains | 1 Teamcity | 2026-06-17 | N/A | 9.8 CRITICAL |
| In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible | |||||
| CVE-2024-23815 | 2026-06-17 | N/A | 7.5 HIGH | ||
| A vulnerability has been identified in Desigo CC (All versions if access from Installed Clients to Desigo CC server is allowed from networks outside of a highly protected zone), Desigo CC (All versions if access from Installed Clients to Desigo CC server is only allowed within highly protected zones). The affected server application fails to authenticate specific client requests. Modification of the client binary could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database via the event port (default: 4998/tcp) | |||||
| CVE-2024-23783 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2026-06-17 | N/A | 8.8 HIGH |
| Improper authentication vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to access the affected product without authentication. | |||||