Total
1399 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49131 | 2025-06-12 | N/A | 6.3 MEDIUM | ||
| FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging. | |||||
| CVE-2025-1731 | 2025-06-12 | N/A | 7.8 HIGH | ||
| An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. | |||||
| CVE-2023-49257 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-11 | N/A | 8.8 HIGH |
| An authenticated user is able to upload an arbitrary CGI-compatible file using the certificate upload utility and execute it with the root user privileges. | |||||
| CVE-2022-1348 | 2 Fedoraproject, Logrotate Project | 2 Fedora, Logrotate | 2025-06-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. | |||||
| CVE-2025-3936 | 2 Microsoft, Tridium | 3 Windows, Niagara, Niagara Enterprise Security | 2025-06-04 | N/A | 6.5 MEDIUM |
| Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2025-3944 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2025-06-04 | N/A | 7.2 HIGH |
| Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2025-40574 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-06-04 | N/A | 7.8 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices do not properly assign permissions to critical ressources. This could allow a non-privileged local attacker to interact with the backupmanager service. | |||||
| CVE-2025-40572 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-06-04 | N/A | 5.5 MEDIUM |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices do not properly assign permissions to critical ressources. This could allow a non-privileged local attacker to access sensitive information stored on the device. | |||||
| CVE-2024-23223 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-06-04 | N/A | 6.2 MEDIUM |
| A privacy issue was addressed with improved handling of files. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to access sensitive user data. | |||||
| CVE-2025-20298 | 2025-06-04 | N/A | 8.0 HIGH | ||
| In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents. | |||||
| CVE-2025-48961 | 2025-06-04 | N/A | 7.3 HIGH | ||
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39938. | |||||
| CVE-2024-45655 | 2025-06-04 | N/A | 5.5 MEDIUM | ||
| IBM Application Gateway 19.12 through 24.09 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment. | |||||
| CVE-2025-30408 | 2025-06-04 | N/A | 6.7 MEDIUM | ||
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904, Acronis Cyber Protect 16 (Windows) before build 39938. | |||||
| CVE-2024-22236 | 1 Vmware | 1 Spring Cloud Contract | 2025-06-03 | N/A | 3.3 LOW |
| In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency. | |||||
| CVE-2023-34042 | 1 Vmware | 1 Spring Security | 2025-06-03 | N/A | 4.1 MEDIUM |
| The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue. | |||||
| CVE-2023-6506 | 1 Wpwhitesecurity | 1 Wp 2fa | 2025-06-03 | N/A | 4.3 MEDIUM |
| The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site. | |||||
| CVE-2023-52116 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-02 | N/A | 7.5 HIGH |
| Permission management vulnerability in the multi-screen interaction module. Successful exploitation of this vulnerability may cause service exceptions of the device. | |||||
| CVE-2024-2905 | 2025-05-29 | N/A | 6.2 MEDIUM | ||
| A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication data to unauthorized access. | |||||
| CVE-2022-2995 | 1 Kubernetes | 1 Cri-o | 2025-05-29 | N/A | 7.1 HIGH |
| Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. | |||||
| CVE-2025-48747 | 2025-05-29 | N/A | 5.0 MEDIUM | ||
| Netwrix Directory Manager (formerly Imanami GroupID) before and including v.11.0.0.0 and after v.11.1.25134.03 has Incorrect Permission Assignment for a Critical Resource. | |||||