Total
7141 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11758 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules). | |||||
| CVE-2025-12157 | 2025-11-04 | N/A | 5.3 MEDIUM | ||
| The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities. | |||||
| CVE-2025-30461 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
| An access issue was addressed with additional sandbox restrictions on the system pasteboards. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data. | |||||
| CVE-2025-24245 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 9.8 CRITICAL |
| This issue was addressed by adding a delay between verification code attempts. This issue is fixed in macOS Sequoia 15.4. A malicious app may be able to access a user's saved passwords. | |||||
| CVE-2023-30581 | 1 Nodejs | 1 Node.js | 2025-11-03 | N/A | 7.5 HIGH |
| The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | |||||
| CVE-2025-24108 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.3. An app may be able to access protected user data. | |||||
| CVE-2025-24096 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
| This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3. A malicious app may be able to access arbitrary files. | |||||
| CVE-2025-59461 | 1 Sick | 2 Tloc100-100, Tloc100-100 Firmware | 2025-11-03 | N/A | 7.6 HIGH |
| A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services. | |||||
| CVE-2025-43331 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 4.0 MEDIUM |
| A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access protected user data. | |||||
| CVE-2025-43318 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 6.2 MEDIUM |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Tahoe 26. An app with root privileges may be able to access private information. | |||||
| CVE-2025-11702 | 1 Gitlab | 1 Gitlab | 2025-11-03 | N/A | 8.5 HIGH |
| GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects. | |||||
| CVE-2025-8223 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-10-31 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2025-62642 | 1 Rbi | 1 Restaurant Brands International Assistant | 2025-10-31 | N/A | 5.8 MEDIUM |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account. | |||||
| CVE-2025-11705 | 2025-10-30 | N/A | 6.5 MEDIUM | ||
| The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
| CVE-2025-10008 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
| The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options. | |||||
| CVE-2025-11632 | 2025-10-30 | N/A | 4.3 MEDIUM | ||
| The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5 | |||||
| CVE-2025-11881 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
| The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components. | |||||
| CVE-2025-6205 | 1 3ds | 1 Delmia Apriso | 2025-10-29 | N/A | 9.1 CRITICAL |
| A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application. | |||||
| CVE-2025-41443 | 1 Mattermost | 1 Mattermost Server | 2025-10-29 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | |||||
| CVE-2025-9133 | 1 Zyxel | 17 Atp100, Atp100w, Atp200 and 14 more | 2025-10-28 | N/A | 8.1 HIGH |
| A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device. | |||||