Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27367 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2026-06-17 | N/A | 5.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to improper input validation due to bypassing of client-side validation for the data types and requiredness of fields for GRC Objects when an authenticated user sends a specially crafted payload to the server allowing for data to be saved without storing the required fields. | |||||
| CVE-2025-25497 | 2026-06-17 | N/A | 8.1 HIGH | ||
| An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership reassignment to or away from any user. | |||||
| CVE-2025-20113 | 1 Cisco | 2 Unified Contact Center Express, Unified Intelligence Center | 2026-06-17 | N/A | 7.1 HIGH |
| A vulnerability in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to elevate privileges to Administrator for a limited set of functions on an affected system. This vulnerability is due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. An attacker could exploit this vulnerability by submitting a crafted API or HTTP request to an affected system. A successful exploit could allow the attacker to access, modify, or delete data beyond the sphere of their intended access level, including obtaining potentially sensitive information stored in the system. | |||||
| CVE-2025-1838 | 1 Ibm | 1 Cloud Pak For Business Automation | 2026-06-17 | N/A | 6.5 MEDIUM |
| IBM Cloud Pak for Business Automation 24.0.0 and 24.0.1 through 24.0.1 IF001 Authoring allows an authenticated user to bypass client-side data validation in an authoring user interface which could cause a denial of service. | |||||
| CVE-2025-14687 | 1 Ibm | 1 Db2 Intelligence Center | 2026-06-17 | N/A | 4.3 MEDIUM |
| IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | |||||
| CVE-2025-12788 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring. | |||||
| CVE-2025-12115 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to. | |||||
| CVE-2025-10640 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore all sensitive monitoring data. This includes monitored screenshots and keystrokes of all users. The WorkExaminer Professional console is used for administrative access to the server. Before access to the console is granted administrators must login. Internally, a custom protocol is used to call a respective stored procedure on the MSSQL database. The return value of the call is not validated on the server-side. Instead it is only validated client-side which allows to bypass authentication. | |||||
| CVE-2025-10161 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass. This issue affects Perfektive: before Version: 12574 Build: 2701. | |||||
| CVE-2024-9844 | 1 Ivanti | 1 Connect Secure | 2026-06-17 | N/A | 7.1 HIGH |
| Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions. | |||||
| CVE-2024-6831 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | |||||
| CVE-2024-6620 | 2026-06-17 | N/A | 3.5 LOW | ||
| Honeywell PC42t, PC42tp, and PC42d Printers, T10.19.020016 to T10.20.060398, contain a cross-site scripting vulnerability. A(n) attacker could potentially inject malicious code which may lead to information disclosure, session theft, or client-side request forgery. Honeywell recommends updating to the most recent version of this firmware, PC42 Printer Firmware Version 20.6 T10.20.060398. | |||||
| CVE-2024-52960 | 1 Fortinet | 1 Fortisandbox | 2026-06-17 | N/A | 4.3 MEDIUM |
| A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. | |||||
| CVE-2024-52008 | 1 Ethyca | 1 Fides | 2026-06-17 | N/A | 8.8 HIGH |
| Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-49824 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2026-06-17 | N/A | 6.5 MEDIUM |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 could allow an authenticated user to perform unauthorized actions as a privileged user due to improper validation of client-side security enforcement. | |||||
| CVE-2024-44106 | 1 Ivanti | 1 Workspace Control | 2026-06-17 | N/A | 8.8 HIGH |
| Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. | |||||
| CVE-2024-43188 | 1 Ibm | 1 Business Automation Workflow | 2026-06-17 | N/A | 4.9 MEDIUM |
| IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation. | |||||
| CVE-2024-42340 | 1 Cyberark | 1 Identity | 2026-06-17 | N/A | 8.3 HIGH |
| CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security | |||||
| CVE-2024-41751 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2026-06-17 | N/A | 5.5 MEDIUM |
| IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | |||||
| CVE-2024-41750 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2026-06-17 | N/A | 5.5 MEDIUM |
| IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | |||||