Total
1681 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5376 | 1 Korenix | 84 Jetnet 4508, Jetnet 4508-w, Jetnet 4508-w Firmware and 81 more | 2025-10-08 | N/A | 8.6 HIGH |
| An Improper Authentication vulnerability in Korenix JetNet TFTP allows abuse of this service. This issue affects JetNet devices older than firmware version 2024/01. | |||||
| CVE-2025-61673 | 2025-10-06 | N/A | 8.6 HIGH | ||
| Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2. | |||||
| CVE-2025-10746 | 2025-10-06 | N/A | 6.5 MEDIUM | ||
| The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters. | |||||
| CVE-2025-34207 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-03 | N/A | 9.8 CRITICAL |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments) configure the SSH client within Docker instances with the following options: `UserKnownHostsFile=/dev/null`, `StrictHostKeyChecking=no`, and `ForwardAgent yes`. These settings disable verification of the remote host’s SSH key and automatically forward the developer’s SSH‑agent to any host that matches the configured wildcard patterns. As a result, an attacker who can reach a single compromised container can cause the container to connect to a malicious SSH server, capture the forwarded private keys, and use those keys for unrestricted lateral movement across the environment. This vulnerability has been identified by the vendor as: V-2024-027 — Insecure Secure Shell (SSH) Configuration. | |||||
| CVE-2024-42462 | 1 Upkeeper | 1 Upkeeper Manager | 2025-10-03 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9. | |||||
| CVE-2025-3758 | 2025-10-03 | N/A | N/A | ||
| WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-53378 | 2 Microsoft, Trendmicro | 2 Windows, Worry-free Business Security Services | 2025-10-03 | N/A | 7.6 HIGH |
| A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only. | |||||
| CVE-2025-34111 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2025-10-03 | N/A | 9.8 CRITICAL |
| An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/. | |||||
| CVE-2025-6226 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 6.5 MEDIUM |
| Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | |||||
| CVE-2025-56562 | 1 Signify | 1 Wiz Connected | 2025-10-02 | N/A | 7.5 HIGH |
| An incorrect API discovered in Signify Wiz Connected 1.9.1 allows attackers to remotely launch a DoS on Wiz devices only requiring the MAC address. | |||||
| CVE-2025-10991 | 2025-10-02 | N/A | N/A | ||
| The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device. This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907. | |||||
| CVE-2025-23293 | 2025-10-02 | N/A | 8.7 HIGH | ||
| NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure. | |||||
| CVE-2025-27538 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 2.2 LOW |
| Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA. | |||||
| CVE-2025-47850 | 1 Jetbrains | 1 Youtrack | 2025-09-30 | N/A | 4.3 MEDIUM |
| In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning | |||||
| CVE-2025-48391 | 1 Jetbrains | 1 Youtrack | 2025-09-30 | N/A | 7.7 HIGH |
| In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API | |||||
| CVE-2025-34190 | 3 Apple, Linux, Vasion | 4 Macos, Linux Kernel, Virtual Appliance Application and 1 more | 2025-09-29 | N/A | 7.8 HIGH |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication bypass in PrinterInstallerClientService. The service requires root privileges for certain administrative operations, but these checks rely on calls to geteuid(). By preloading a malicious shared object overriding geteuid(), a local attacker can trick the service into believing it is running with root privileges. This bypass enables execution of administrative commands (e.g., enabling debug mode, managing configurations, or invoking privileged features) without proper authorization. While some actions requiring write access to protected files may still fail, the flaw effectively breaks the intended security model of the inter-process communication (IPC) system, allowing local attackers to escalate privileges and compromise system integrity. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | |||||
| CVE-2025-11130 | 2025-09-29 | 7.2 HIGH | 8.4 HIGH | ||
| A weakness has been identified in iHongRen pptp-vpn 1.0/1.0.1 on macOS. This issue affects the function shouldAcceptNewConnection of the file HelpTool/HelperTool.m of the component XPC Service. This manipulation causes missing authentication. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-45075 | 1 Ibm | 1 Webmethods Integration | 2025-09-29 | N/A | 8.8 HIGH |
| IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication. | |||||
| CVE-2025-58443 | 1 Fogproject | 1 Fogproject | 2025-09-29 | N/A | 9.1 CRITICAL |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version. | |||||
| CVE-2025-60251 | 2025-09-26 | N/A | 5.0 MEDIUM | ||
| Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | |||||