Total
2109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6707 | 2025-06-26 | N/A | 4.2 MEDIUM | ||
| Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5. | |||||
| CVE-2025-52890 | 2025-06-26 | N/A | 8.1 HIGH | ||
| Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue. | |||||
| CVE-2025-5822 | 2025-06-26 | N/A | 7.1 HIGH | ||
| Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325. | |||||
| CVE-2025-48757 | 2025-06-25 | N/A | 9.3 CRITICAL | ||
| An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. | |||||
| CVE-2023-40611 | 1 Apache | 1 Airflow | 2025-06-25 | N/A | 4.3 MEDIUM |
| Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. | |||||
| CVE-2025-3647 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. | |||||
| CVE-2025-3645 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. | |||||
| CVE-2025-3644 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 4.3 MEDIUM |
| A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. | |||||
| CVE-2024-3511 | 2025-06-23 | N/A | 4.3 MEDIUM | ||
| An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance. | |||||
| CVE-2025-52487 | 2025-06-23 | N/A | N/A | ||
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP Addresses not in the allow list. This issue has been patched in version 10.0.1. | |||||
| CVE-2025-21557 | 1 Oracle | 1 Application Express | 2025-06-23 | N/A | 5.4 MEDIUM |
| Vulnerability in Oracle Application Express (component: General). Supported versions that are affected are 23.2 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2025-21568 | 1 Oracle | 1 Hyperion Data Relationship Management | 2025-06-23 | N/A | 4.5 MEDIUM |
| Vulnerability in the Oracle Hyperion Data Relationship Management product of Oracle Hyperion (component: Access and Security). The supported version that is affected is 11.2.19.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Data Relationship Management. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Data Relationship Management accessible data. CVSS 3.1 Base Score 4.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). | |||||
| CVE-2025-21569 | 1 Oracle | 1 Hyperion Data Relationship Management | 2025-06-23 | N/A | 6.6 MEDIUM |
| Vulnerability in the Oracle Hyperion Data Relationship Management product of Oracle Hyperion (component: Web Services). The supported version that is affected is 11.2.19.0.000. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Data Relationship Management. Successful attacks of this vulnerability can result in takeover of Oracle Hyperion Data Relationship Management. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-21553 | 1 Oracle | 1 Java Virtual Machine | 2025-06-23 | N/A | 4.2 MEDIUM |
| Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.25, 21.3-21.16 and 23.4-23.6. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java VM accessible data as well as unauthorized read access to a subset of Java VM accessible data. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2025-21533 | 1 Oracle | 1 Vm Virtualbox | 2025-06-23 | N/A | 5.5 MEDIUM |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2025-21516 | 1 Oracle | 1 E-business Suite | 2025-06-23 | N/A | 8.1 HIGH |
| Vulnerability in the Oracle Customer Care product of Oracle E-Business Suite (component: Service Requests). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Customer Care. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Care accessible data as well as unauthorized access to critical data or complete access to all Oracle Customer Care accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | |||||
| CVE-2025-21506 | 1 Oracle | 1 E-business Suite | 2025-06-23 | N/A | 8.1 HIGH |
| Vulnerability in the Oracle Project Foundation product of Oracle E-Business Suite (component: Technology Foundation). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Project Foundation accessible data as well as unauthorized access to critical data or complete access to all Oracle Project Foundation accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | |||||
| CVE-2024-37775 | 1 Sunbirddcim | 1 Dctrack | 2025-06-20 | N/A | 7.5 HIGH |
| Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check. | |||||
| CVE-2025-21561 | 1 Oracle | 1 Peoplesoft Enterprise Scm Purchasing | 2025-06-20 | N/A | 5.4 MEDIUM |
| Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2025-21554 | 1 Oracle | 1 Communications Order And Service Management | 2025-06-20 | N/A | 5.3 MEDIUM |
| Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Order and Service Management. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | |||||