Total
9259 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58752 | 1 Vitejs | 1 Vite | 2025-09-17 | N/A | 5.3 MEDIUM |
| Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. | |||||
| CVE-2025-43356 | 1 Apple | 7 Ipados, Iphone Os, Macos and 4 more | 2025-09-17 | N/A | 6.5 MEDIUM |
| The issue was addressed with improved handling of caches. This issue is fixed in tvOS 26, Safari 26, iOS 18.7 and iPadOS 18.7, visionOS 26, watchOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. A website may be able to access sensor information without user consent. | |||||
| CVE-2025-43362 | 1 Apple | 2 Ipados, Iphone Os | 2025-09-17 | N/A | 9.8 CRITICAL |
| The issue was addressed with improved checks. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26. An app may be able to monitor keystrokes without user permission. | |||||
| CVE-2025-43367 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 5.5 MEDIUM |
| A privacy issue was addressed by moving sensitive data. This issue is fixed in macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access protected user data. | |||||
| CVE-2025-8852 | 1 5kcrm | 1 Wukongcrm | 2025-09-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-56406 | 2025-09-16 | N/A | 7.5 HIGH | ||
| An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed). | |||||
| CVE-2025-9808 | 2025-09-16 | N/A | 5.3 MEDIUM | ||
| The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues. | |||||
| CVE-2025-26711 | 2025-09-16 | N/A | 5.7 MEDIUM | ||
| There is an unauthorized access vulnerability in ZTE T5400. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface. | |||||
| CVE-2025-26710 | 2025-09-16 | N/A | 3.5 LOW | ||
| There is an an information disclosure vulnerability in ZTE T5400. Due to improper configuration of the access control mechanism, attackers can obtain information through interfaces without authorization, causing the risk of information disclosure. | |||||
| CVE-2025-53640 | 1 Cern | 1 Indico | 2025-09-15 | N/A | 6.5 MEDIUM |
| Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended. | |||||
| CVE-2025-56467 | 2025-09-15 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in AXIS BANK LIMITED Axis Mobile App 9.9 that allows attackers to obtain sensitive information without a UPI PIN, such as account information, balances, transaction history, and unspecified other information. NOTE: the Supplier's perspective is that this is an intended feature and "does not reveal much sensitive information." | |||||
| CVE-2024-38030 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-09-15 | N/A | 6.5 MEDIUM |
| Windows Themes Spoofing Vulnerability | |||||
| CVE-2024-21320 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-09-15 | N/A | 6.5 MEDIUM |
| Windows Themes Spoofing Vulnerability | |||||
| CVE-2025-52488 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-09-15 | N/A | 8.6 HIGH |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1. | |||||
| CVE-2025-47997 | 1 Microsoft | 4 Sql Server 2016, Sql Server 2017, Sql Server 2019 and 1 more | 2025-09-12 | N/A | 6.5 MEDIUM |
| Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network. | |||||
| CVE-2024-52297 | 1 Tolgee | 1 Tolgee | 2025-09-11 | N/A | 9.8 CRITICAL |
| Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2. | |||||
| CVE-2025-55052 | 2025-09-11 | N/A | 4.3 MEDIUM | ||
| CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2025-29089 | 2025-09-11 | N/A | 7.5 HIGH | ||
| An issue in TP-Link AX10 Ax1500 v.1.3.10 Build (20230130) allows a remote attacker to obtain sensitive information | |||||
| CVE-2025-36759 | 2025-09-11 | N/A | N/A | ||
| Through the provision of user names, SolaX Cloud will suggest (similar) user accounts and thereby leak sensitive information such as user email addresses and phone numbers. | |||||
| CVE-2025-9139 | 1 Scada-lts | 1 Scada-lts | 2025-09-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in Scada-LTS 2.7.8.1. Affected by this vulnerability is an unknown functionality of the file /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr. Executing manipulation can lead to information disclosure. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower." | |||||