Total
5595 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-29756 | 2025-06-12 | N/A | N/A | ||
| SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices. | |||||
| CVE-2025-49181 | 2025-06-12 | N/A | 8.6 HIGH | ||
| Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack. | |||||
| CVE-2025-1055 | 2025-06-12 | N/A | 5.6 MEDIUM | ||
| A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications. | |||||
| CVE-2025-47887 | 1 Jenkins | 1 Cadence Vmanager | 2025-06-12 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. | |||||
| CVE-2023-6029 | 1 Spider-themes | 1 Eazydocs | 2025-06-11 | N/A | 7.5 HIGH |
| The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections. | |||||
| CVE-2023-50944 | 1 Apache | 1 Airflow | 2025-06-11 | N/A | 6.5 MEDIUM |
| Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue. | |||||
| CVE-2024-3932 | 2025-06-11 | 2.6 LOW | 3.1 LOW | ||
| A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-5766 | 1 Code-projects | 1 Simple Laundry System | 2025-06-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in code-projects Laundry System 1.0. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-48009 | 1 Single Content Sync Project | 1 Single Content Sync | 2025-06-10 | N/A | 3.1 LOW |
| Missing Authorization vulnerability in Drupal Single Content Sync allows Functionality Misuse.This issue affects Single Content Sync: from 0.0.0 before 1.4.12. | |||||
| CVE-2025-47709 | 1 Miniorange | 1 Miniorange 2fa | 2025-06-10 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Forceful Browsing.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0. | |||||
| CVE-2025-5732 | 1 Carmelogarcia | 1 Traffic Offense Reporting System | 2025-06-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in code-projects Traffic Offense Reporting System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar | 2025-06-10 | N/A | 5.3 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. | |||||
| CVE-2023-2415 | 1 Vcita | 1 Online Booking \& Scheduling Calendar | 2025-06-10 | N/A | 5.4 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler. | |||||
| CVE-2024-32948 | 1 Reputeinfosystems | 1 Armember | 2025-06-09 | N/A | 9.1 CRITICAL |
| Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28. | |||||
| CVE-2024-32776 | 1 Apppresser | 1 Apppresser | 2025-06-09 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in AppPresser Team AppPresser.This issue affects AppPresser: from n/a through 4.3.0. | |||||
| CVE-2024-34372 | 1 Addonmaster | 1 Post Grid Master | 2025-06-09 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in AddonMaster Post Grid Master.This issue affects Post Grid Master: from n/a through 3.4.7. | |||||
| CVE-2023-48740 | 1 Easysocialfeed | 1 Easy Social Feed | 2025-06-09 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Easy Social Feed Easy Social Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Social Feed: from n/a through 6.5.1. | |||||
| CVE-2023-47841 | 1 Analytify | 1 Analytify - Google Analytics Dashboard | 2025-06-09 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Analytify Analytify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Analytify: from n/a through 5.1.1. | |||||
| CVE-2023-47832 | 1 Searchiq | 1 Searchiq | 2025-06-09 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in searchiq SearchIQ allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SearchIQ: from n/a through 4.4. | |||||
| CVE-2023-47770 | 1 Muffingroup | 1 Betheme | 2025-06-09 | N/A | 7.6 HIGH |
| Missing Authorization vulnerability in Muffin Group Betheme.This issue affects Betheme: from n/a through 27.1.1. | |||||