Total
1141 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13124 | 2025-12-12 | N/A | 7.6 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers.This issue affects ApplyLogic: through 01.12.2025. | |||||
| CVE-2025-14356 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default). | |||||
| CVE-2025-12883 | 2025-12-12 | N/A | 5.3 MEDIUM | ||
| The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income. | |||||
| CVE-2025-61950 | 2025-12-12 | N/A | 4.3 MEDIUM | ||
| In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. | |||||
| CVE-2025-61075 | 1 Adata | 1 Mitarbeiter Portal | 2025-12-12 | N/A | 8.1 HIGH |
| Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls. | |||||
| CVE-2025-12918 | 1 Yungifez | 1 Skuul | 2025-12-11 | 2.1 LOW | 3.1 LOW |
| A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. The impacted element is an unknown function of the file /dashboard/fees/fee-invoices/ of the component View Fee Invoice. Performing manipulation of the argument invoice_id results in improper control of resource identifiers. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12919 | 1 Evershop | 1 Evershop | 2025-12-11 | 2.6 LOW | 3.7 LOW |
| A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-64497 | 1 Enalean | 1 Tuleap | 2025-12-10 | N/A | 6.5 MEDIUM |
| Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition. | |||||
| CVE-2025-67594 | 2025-12-09 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through <= 1.3.3. | |||||
| CVE-2025-66513 | 1 Nextcloud | 1 Tables | 2025-12-09 | N/A | 4.3 MEDIUM |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | |||||
| CVE-2025-63065 | 2025-12-09 | N/A | 5.4 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media Library Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library Assistant: from n/a through <= 3.30. | |||||
| CVE-2025-66551 | 1 Nextcloud | 1 Tables | 2025-12-09 | N/A | 6.3 MEDIUM |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | |||||
| CVE-2025-66553 | 1 Nextcloud | 1 Tables | 2025-12-09 | N/A | 4.3 MEDIUM |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | |||||
| CVE-2025-66556 | 1 Nextcloud | 1 Talk | 2025-12-09 | N/A | 3.5 LOW |
| Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2. | |||||
| CVE-2025-66558 | 1 Nextcloud | 1 Two-factor Webauthn | 2025-12-09 | N/A | 3.1 LOW |
| Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1. | |||||
| CVE-2025-66546 | 1 Nextcloud | 1 Calendar | 2025-12-09 | N/A | 3.3 LOW |
| Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1. | |||||
| CVE-2025-66547 | 1 Nextcloud | 1 Nextcloud Server | 2025-12-09 | N/A | 4.3 MEDIUM |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | |||||
| CVE-2024-50395 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-08 | N/A | 8.8 HIGH |
| An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later | |||||
| CVE-2025-13932 | 2025-12-08 | N/A | N/A | ||
| The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. | |||||
| CVE-2025-13748 | 2025-12-08 | N/A | 5.3 MEDIUM | ||
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier. | |||||