Total
34804 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2314 | 2 Iovisor, Linux | 2 Bpf Compiler Collection, Linux Kernel | 2025-08-26 | N/A | 2.8 LOW |
| If kernel headers need to be extracted, bcc will attempt to load them from a temporary directory. An unprivileged attacker could use this to force bcc to load compromised linux headers. Linux distributions which provide kernel headers by default are not affected by default. | |||||
| CVE-2022-1804 | 1 Canonical | 2 Accountsservice, Ubuntu Linux | 2025-08-26 | N/A | 5.5 MEDIUM |
| accountsservice no longer drops permissions when writting .pam_environment | |||||
| CVE-2024-35230 | 1 Osgeo | 1 Geoserver | 2025-08-26 | N/A | 5.3 MEDIUM |
| GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-49753 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 5.9 MEDIUM |
| Zitadel is open-source identity infrastructure software. Versions prior to 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 have a flaw in the URL validation mechanism of Zitadel actions allows bypassing restrictions intended to block requests to localhost (127.0.0.1). The isHostBlocked check, designed to prevent such requests, can be circumvented by creating a DNS record that resolves to 127.0.0.1. This enables actions to send requests to localhost despite the intended security measures. This vulnerability potentially allows unauthorized access to unsecured internal endpoints, which may contain sensitive information or functionalities. Versions 2.64.1, 2.63.6, 2.62.8, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available. | |||||
| CVE-2024-41138 | 1 Microsoft | 1 Teams | 2025-08-26 | N/A | 7.1 HIGH |
| A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions. | |||||
| CVE-2024-42004 | 1 Microsoft | 1 Teams | 2025-08-26 | N/A | 7.1 HIGH |
| A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions. | |||||
| CVE-2024-41145 | 1 Microsoft | 1 Teams | 2025-08-26 | N/A | 7.1 HIGH |
| A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions. | |||||
| CVE-2024-45271 | 2 Helmholz, Mbconnectline | 4 Rex 100, Rex 100 Firmware, Mbnet.mini and 1 more | 2025-08-26 | N/A | 8.4 HIGH |
| An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation. | |||||
| CVE-2023-2530 | 1 Puppet | 1 Puppet Enterprise | 2025-08-26 | N/A | 9.8 CRITICAL |
| A privilege escalation allowing remote code execution was discovered in the orchestration service. | |||||
| CVE-2024-52815 | 1 Matrix | 1 Synapse | 2025-08-26 | N/A | 5.3 MEDIUM |
| Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. | |||||
| CVE-2025-8226 | 1 Chancms | 1 Chancms | 2025-08-26 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been classified as problematic. Affected is an unknown function of the file /sysApp/find. The manipulation of the argument accessKey/secretKey leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-52589 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 2.2 LOW |
| Discourse is an open source platform for community discussion. Moderators can see the Screened emails list in the admin dashboard, and through that can learn the email of a user. This problem is patched in the latest version of Discourse. Users unable to upgrade should remove moderator role from untrusted users. | |||||
| CVE-2024-53991 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 7.5 HIGH |
| Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade can either 1. Download all local backups on to another storage device, disable the `enable_backups` site setting and delete all backups until the site has been upgraded to pull in the fix. Or 2. Change the `backup_location` site setting to `s3` so that backups are stored and downloaded directly from S3. | |||||
| CVE-2025-30353 | 1 Monospace | 1 Directus | 2025-08-26 | N/A | 8.6 HIGH |
| Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue. | |||||
| CVE-2025-30352 | 1 Monospace | 1 Directus | 2025-08-26 | N/A | 5.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchable columns (numbers & strings) are not checked against permissions when injecting the `where` clauses for applying the search query. This leads to the possibility of enumerating those un-permitted fields. Version 11.5.0 fixes the issue. | |||||
| CVE-2025-49845 | 1 Discourse | 1 Discourse | 2025-08-25 | N/A | 7.5 HIGH |
| Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available. | |||||
| CVE-2024-1929 | 1 Rpm | 1 Dnf5 | 2025-08-25 | N/A | 7.5 HIGH |
| Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary. There are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration. Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this "config" map, which is untrusted data. It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access. | |||||
| CVE-2022-41066 | 1 Microsoft | 4 Dynamics 365 Business Central 2019, Dynamics 365 Business Central 2021, Dynamics 365 Business Central 2022 and 1 more | 2025-08-25 | N/A | 4.4 MEDIUM |
| Microsoft Business Central Information Disclosure Vulnerability | |||||
| CVE-2025-21354 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2025-08-25 | N/A | 8.4 HIGH |
| Microsoft Excel Remote Code Execution Vulnerability | |||||
| CVE-2025-21188 | 1 Microsoft | 1 Azure Network Watcher | 2025-08-25 | N/A | 6.0 MEDIUM |
| Azure Network Watcher VM Extension Elevation of Privilege Vulnerability | |||||