Total
67 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-62775 | 2025-10-22 | N/A | 8.0 HIGH | ||
| Mercku M6a devices through 2.1.0 allow root TELNET logins via the web admin password. | |||||
| CVE-2021-22900 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2025-10-22 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. | |||||
| CVE-2025-62646 | 2025-10-21 | N/A | 5.0 MEDIUM | ||
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers. | |||||
| CVE-2024-31573 | 2025-10-21 | N/A | 4.0 MEDIUM | ||
| XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled. | |||||
| CVE-2025-62292 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
| In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts. | |||||
| CVE-2025-54310 | 1 Qbittorrent | 1 Qbittorrent | 2025-10-09 | N/A | 4.0 MEDIUM |
| qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwidget.cpp. | |||||
| CVE-2025-56675 | 2025-10-02 | N/A | 3.5 LOW | ||
| The EKEN video doorbell T6 BT60PLUS_MAIN_V1.0_GC1084_20230531 periodically sends debug logs to the EKEN cloud servers with sensitive information such as the Wi-Fi SSID and password. | |||||
| CVE-2025-59691 | 2025-09-19 | N/A | 3.7 LOW | ||
| PureVPN client applications on Linux through September 2025 allow IPv6 traffic to leak outside the VPN tunnel upon network events such as Wi-Fi reconnect or system resume. In the CLI client, the VPN auto-reconnects and claims to be connected, but IPv6 traffic is no longer routed or blocked. In the GUI client, the IPv6 connection remains functional after disconnection until the user clicks Reconnect. In both cases, the real IPv6 address is exposed to external services, violating user privacy and defeating the advertised IPv6 leak protection. This affects CLI 2.0.1 and GUI 2.10.0. | |||||
| CVE-2025-59692 | 2025-09-19 | N/A | 3.7 LOW | ||
| PureVPN client applications on Linux through September 2025 mishandle firewalling. They flush the system's existing iptables rules and apply default ACCEPT policies when connecting to a VPN server. This removes firewall rules that may have been configured manually or by other software (e.g., UFW, container engines, or system security policies). Upon VPN disconnect, the original firewall state is not restored. As a result, the system may become unintentionally exposed to network traffic that was previously blocked. This affects CLI 2.0.1 and GUI 2.10.0. | |||||
| CVE-2025-59453 | 2025-09-16 | N/A | 3.2 LOW | ||
| Click Studios Passwordstate before 9.9 Build 9972 has a potential authentication bypass for Passwordstate emergency access. By using a crafted URL while on the Emergency Access web page, an unauthorized person can gain access to the Passwordstate Administration section. | |||||
| CVE-2025-59363 | 2025-09-15 | N/A | 7.7 HIGH | ||
| In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created), | |||||
| CVE-2025-59378 | 2025-09-15 | N/A | 5.7 MEDIUM | ||
| In guix-daemon in GNU Guix before 1618ca7, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it (even after the build has ended). | |||||
| CVE-2025-46553 | 1 Misskey | 1 Misskey | 2025-09-03 | N/A | 6.1 MEDIUM |
| @misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue. | |||||
| CVE-2025-34158 | 2025-08-28 | N/A | 8.5 HIGH | ||
| Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres. | |||||
| CVE-2025-54956 | 2025-08-04 | N/A | 3.2 LOW | ||
| The gh package before 1.5.0 for R delivers an HTTP response in a data structure that includes the Authorization header from the corresponding HTTP request. | |||||
| CVE-2025-54352 | 2025-07-22 | N/A | 3.7 LOW | ||
| WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior. | |||||
| CVE-2025-41645 | 2025-05-13 | N/A | 8.6 HIGH | ||
| An unauthenticated remote attacker could use a demo account of the portal to hijack devices that were created in that account by mistake. | |||||
| CVE-2017-14013 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2025-04-20 | 6.8 MEDIUM | 5.6 MEDIUM |
| A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user. | |||||
| CVE-2016-5062 | 1 Aternity | 1 Aternity | 2025-04-12 | 9.3 HIGH | 9.8 CRITICAL |
| The web server in Aternity before 9.0.1 does not require authentication for getMBeansFromURL loading of Java MBeans, which allows remote attackers to execute arbitrary Java code by registering MBeans. | |||||
| CVE-2002-0055 | 1 Microsoft | 3 Exchange Server, Windows 2000, Windows Xp | 2025-04-03 | 5.0 MEDIUM | N/A |
| SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 allows remote attackers to cause a denial of service via a command with a malformed data transfer (BDAT) request. | |||||