Total
7134 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55741 | 2025-08-22 | N/A | 8.1 HIGH | ||
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist. | |||||
| CVE-2025-52352 | 2025-08-22 | N/A | 9.8 CRITICAL | ||
| Aikaan IoT management platform v3.25.0325-5-g2e9c59796 provides a configuration to disable user sign-up in distributed deployments by hiding the sign-up option on the login page UI. However, the sign-up API endpoint remains publicly accessible and functional, allowing unauthenticated users to register accounts via APIs even when the feature is disabled. This leads to authentication bypass and unauthorized access to admin portals, violating intended access controls. | |||||
| CVE-2024-12812 | 1 Wedevs | 1 Wp Erp | 2025-08-22 | N/A | 7.5 HIGH |
| The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees. | |||||
| CVE-2025-54378 | 1 Psu | 2 Haxcms-nodejs, Haxcms-php | 2025-08-21 | N/A | 8.3 HIGH |
| HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php. | |||||
| CVE-2025-8996 | 1 Layout Builder Advanced Permissions Project | 1 Layout Builder Advanced Permissions | 2025-08-21 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0. | |||||
| CVE-2025-8361 | 1 Config Pages Project | 1 Config Pages | 2025-08-21 | N/A | 7.6 HIGH |
| Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0. | |||||
| CVE-2025-54608 | 1 Huawei | 1 Harmonyos | 2025-08-20 | N/A | 6.2 MEDIUM |
| Vulnerability that allows setting screen rotation direction without permission verification in the screen management module. Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set. | |||||
| CVE-2025-4046 | 2025-08-20 | N/A | 8.5 HIGH | ||
| A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization | |||||
| CVE-2025-49406 | 2025-08-20 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1. | |||||
| CVE-2025-9202 | 2025-08-20 | N/A | 4.3 MEDIUM | ||
| The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the ThemeGrill Demo Importer plugin. | |||||
| CVE-2025-8357 | 2025-08-19 | N/A | 4.3 MEDIUM | ||
| The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server from the /wp-content/uploads/ directory. | |||||
| CVE-2025-7499 | 2025-08-18 | N/A | 5.3 MEDIUM | ||
| The BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_response function in all versions up to and including 4.1.1. This makes it possible for unauthenticated attackers to retrieve passwords for password-protected documents as well as the metadata of private and draft documents. | |||||
| CVE-2025-7664 | 2025-08-18 | N/A | 7.5 HIGH | ||
| The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header. | |||||
| CVE-2025-8898 | 2025-08-18 | N/A | 9.8 CRITICAL | ||
| The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2025-8342 | 2025-08-15 | N/A | 8.1 HIGH | ||
| The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured. | |||||
| CVE-2024-12553 | 1 Geovision | 1 Gv-asmanager | 2025-08-14 | N/A | 6.5 MEDIUM |
| GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used. The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25394. | |||||
| CVE-2025-49747 | 1 Microsoft | 1 Azure Machine Learning | 2025-08-14 | N/A | 9.9 CRITICAL |
| Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | |||||
| CVE-2025-50171 | 1 Microsoft | 3 Windows Server 2022, Windows Server 2022 23h2, Windows Server 2025 | 2025-08-14 | N/A | 9.1 CRITICAL |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2025-52721 | 2025-08-14 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in LCweb Global Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Global Gallery: from n/a through 9.2.3. | |||||
| CVE-2025-5953 | 1 Mishubd | 1 Wp Human Resource Management | 2025-08-13 | N/A | 8.8 HIGH |
| The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | |||||