Total
2600 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13468 | 1 Oretnom23 | 1 Alumni Management System | 2025-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-49145 | 1 Combodo | 1 Itop | 2025-11-21 | N/A | 8.7 HIGH |
| Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | |||||
| CVE-2025-64753 | 1 Getgrist | 1 Grist-core | 2025-11-20 | N/A | 5.3 MEDIUM |
| grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint. | |||||
| CVE-2025-7736 | 1 Gitlab | 1 Gitlab | 2025-11-19 | N/A | 3.1 LOW |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. | |||||
| CVE-2025-41346 | 1 Iest | 1 Winplus | 2025-11-19 | N/A | 9.8 CRITICAL |
| Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application. | |||||
| CVE-2025-11865 | 1 Gitlab | 1 Gitlab | 2025-11-19 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | |||||
| CVE-2025-65073 | 2025-11-18 | N/A | 7.5 HIGH | ||
| OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. | |||||
| CVE-2025-64707 | 1 Frappe | 1 Learning | 2025-11-17 | N/A | 5.4 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated. | |||||
| CVE-2025-11777 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | |||||
| CVE-2025-11776 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 4.3 MEDIUM |
| Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint | |||||
| CVE-2025-41436 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads | |||||
| CVE-2025-62394 | 1 Moodle | 1 Moodle | 2025-11-14 | N/A | 4.3 MEDIUM |
| Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information. | |||||
| CVE-2025-12149 | 2025-11-14 | N/A | N/A | ||
| In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices. | |||||
| CVE-2025-13063 | 2025-11-14 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in DinukaNavaratna Dee Store 1.0. Affected is an unknown function. Executing manipulation can lead to missing authorization. The attack may be performed from remote. The exploit has been published and may be used. Multiple endpoints are affected. | |||||
| CVE-2025-65002 | 2025-11-14 | N/A | 7.5 HIGH | ||
| Fujitsu / Fsas Technologies iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters. | |||||
| CVE-2025-12621 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
| The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds. | |||||
| CVE-2025-11862 | 2025-11-12 | N/A | N/A | ||
| A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API. | |||||
| CVE-2025-62795 | 1 Fit2cloud | 1 Jumpserver | 2025-11-12 | N/A | 7.1 HIGH |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts. | |||||
| CVE-2025-62275 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 5.3 MEDIUM |
| Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers to view the images in a blog entry via crafted URL. | |||||
| CVE-2021-40655 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2025-11-10 | 5.0 MEDIUM | 7.5 HIGH |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||