Total
219 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0790 | 1 Algosolutions | 2 8180 Ip Audio Alerter, 8180 Ip Audio Alerter Firmware | 2026-02-13 | N/A | 7.5 HIGH |
| ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | |||||
| CVE-2025-52024 | 1 Aptsys | 1 Gemscms Backend | 2026-02-11 | N/A | 9.4 CRITICAL |
| A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | |||||
| CVE-2022-2551 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | N/A | 7.5 HIGH |
| The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. | |||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.3 MEDIUM |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||
| CVE-2025-67844 | 1 Mintlify | 1 Mintlify | 2026-01-02 | N/A | 5.0 MEDIUM |
| The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization. | |||||
| CVE-2017-17736 | 1 Kentico | 1 Xperience | 2025-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. | |||||
| CVE-2025-6195 | 1 Gitlab | 1 Gitlab | 2025-12-10 | N/A | 4.3 MEDIUM |
| GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | |||||
| CVE-2025-57823 | 1 Fortinet | 1 Fortiauthenticator | 2025-12-09 | N/A | 2.7 LOW |
| A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints | |||||
| CVE-2025-62778 | 1 Frappe | 1 Learning | 2025-11-03 | N/A | 5.3 MEDIUM |
| Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL. | |||||
| CVE-2021-26085 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2025-10-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | |||||
| CVE-2024-45195 | 1 Apache | 1 Ofbiz | 2025-10-23 | N/A | 7.5 HIGH |
| Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | |||||
| CVE-2025-6352 | 1 Fabian | 1 Automated Voting System | 2025-10-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as problematic has been found in code-projects Automated Voting System 1.0. Affected is an unknown function of the file /vote.php of the component Backend. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-41404 | 1 Irohasoft | 1 Iroha Board | 2025-09-30 | N/A | 4.3 MEDIUM |
| Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in to the affected product. | |||||
| CVE-2024-55075 | 1 Grocy Project | 1 Grocy | 2025-09-29 | N/A | 4.3 MEDIUM |
| Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes. | |||||
| CVE-2025-55736 | 1 Dogukanurker | 1 Flaskblog | 2025-08-22 | N/A | 6.5 MEDIUM |
| flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file. | |||||
| CVE-2022-40845 | 1 Tenda | 2 W15e, W15e Firmware | 2025-07-07 | N/A | 6.5 MEDIUM |
| The Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is affected by a password exposure vulnerability. When combined with the improper authorization/improper session management vulnerability, an attacker with access to the router may be able to expose sensitive information which they're not explicitly authorized to have. | |||||
| CVE-2025-47226 | 1 Snipeitapp | 1 Snipe-it | 2025-06-03 | N/A | 5.0 MEDIUM |
| Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | |||||
| CVE-2022-36158 | 1 Contec | 8 Fxa2000, Fxa2000 Firmware, Fxa3000 and 5 more | 2025-05-21 | N/A | 8.0 HIGH |
| Contec FXA3200 version 1.13.00 and under suffers from Insecure Permissions in the Wireless LAN Manager interface which allows malicious actors to execute Linux commands with root privilege via a hidden web page (/usr/www/ja/mnt_cmd.cgi). | |||||
| CVE-2022-42238 | 1 Merchandise Online Store Project | 1 Merchandise Online Store | 2025-05-20 | N/A | 8.8 HIGH |
| A Vertical Privilege Escalation issue in Merchandise Online Store v.1.0 allows an attacker to get access to the admin dashboard. | |||||
| CVE-2025-46690 | 1 Ververica | 1 Ververica Platform | 2025-05-12 | N/A | 5.0 MEDIUM |
| Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request. | |||||