Total
2201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3891 | 1 Blackberry | 1 Qnx Software Development Platform | 2025-08-22 | 6.8 MEDIUM | 9.6 CRITICAL |
| In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node. | |||||
| CVE-2025-30155 | 1 Enalean | 1 Tuleap | 2025-08-21 | N/A | 4.3 MEDIUM |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742392651 and Tuleap Enterprise Edition 16.5-5 and 16.4-8. | |||||
| CVE-2025-30209 | 1 Enalean | 1 Tuleap | 2025-08-21 | N/A | 5.3 MEDIUM |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker can access release notes content or information via the FRS REST endpoints it should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742812323 and Tuleap Enterprise Edition 16.5-6 and 16.4-10. | |||||
| CVE-2024-47077 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 6.5 MEDIUM |
| authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. Anyone who has more than one proxy provider application with different trust domains or different access control is affected. Versions 2024.8.3 and 2024.6.5 fix the issue. | |||||
| CVE-2025-36120 | 1 Ibm | 1 Storage Virtualize | 2025-08-21 | N/A | 8.8 HIGH |
| IBM Storage Virtualize 8.4, 8.5, 8.6, and 8.7 could allow an authenticated user to escalate their privileges in an SSH session due to incorrect authorization checks to access resources. | |||||
| CVE-2024-37905 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 8.8 HIGH |
| authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including resetting user passwords and more. This issue has been patched in version(s) 2024.2.4, 2024.4.2 and 2024.6.0. | |||||
| CVE-2025-57728 | 1 Jetbrains | 1 Intellij Idea | 2025-08-21 | N/A | 6.5 MEDIUM |
| In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files | |||||
| CVE-2024-11176 | 2025-08-21 | N/A | N/A | ||
| Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions. | |||||
| CVE-2025-48757 | 2025-08-21 | N/A | 9.3 CRITICAL | ||
| An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application. | |||||
| CVE-2025-9228 | 2025-08-20 | N/A | 4.3 MEDIUM | ||
| MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users. | |||||
| CVE-2025-55205 | 2025-08-18 | N/A | 9.0 CRITICAL | ||
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce. This vulnerability is fixed in 0.10.4. | |||||
| CVE-2025-55213 | 2025-08-18 | N/A | N/A | ||
| OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5. | |||||
| CVE-2023-47716 | 1 Ibm | 2 Cp4ba - Filenet Content Manager, Filenet Content Manager | 2025-08-15 | N/A | 6.3 MEDIUM |
| IBM CP4BA - Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a user to gain the privileges of another user under unusual circumstances. IBM X-Force ID: 271656. | |||||
| CVE-2025-49556 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-08-15 | N/A | 7.5 HIGH |
| Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged. | |||||
| CVE-2025-7773 | 2025-08-15 | N/A | N/A | ||
| A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable. | |||||
| CVE-2024-10219 | 1 Gitlab | 1 Gitlab | 2025-08-14 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. | |||||
| CVE-2024-39690 | 1 Projectcapsule | 1 Capsule | 2025-08-14 | N/A | 8.4 HIGH |
| Capsule is a multi-tenancy and policy-based framework for Kubernetes. In Capsule v0.7.0 and earlier, the tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace. Version 0.7.1 contains a patch. | |||||
| CVE-2025-8068 | 1 Hasthemes | 1 Ht Mega | 2025-08-13 | N/A | 4.3 MEDIUM |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash. | |||||
| CVE-2023-42124 | 1 Avast | 1 Premium Security | 2025-08-13 | N/A | 7.8 HIGH |
| Avast Premium Security Sandbox Protection Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avast Premium Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of the sandbox feature. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code outside the sandbox at medium integrity. . Was ZDI-CAN-20178. | |||||
| CVE-2025-2242 | 1 Gitlab | 1 Gitlab | 2025-08-13 | N/A | 7.5 HIGH |
| An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects. | |||||