Total
562 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10576 | 2025-10-16 | N/A | N/A | ||
| Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. HP is releasing updated audio packages to mitigate the potential vulnerabilities. | |||||
| CVE-2024-13211 | 1 Singmr | 1 Houserent | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SingMR HouseRent 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/main/java/com/house/wym/controller/AdminController.java. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3398 | 1 Lenve | 1 Vblog | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function configure of the file blogserver/src/main/java/org/sang/config/WebSecurityConfig.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-3013 | 1 Flir | 2 Flir Ax8, Flir Ax8 Firmware | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in Teledyne FLIR AX8 up to 1.46.16. The impacted element is an unknown function of the file /tools/test_login.php?action=register of the component User Registration. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 1.49.16 is sufficient to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities." | |||||
| CVE-2025-3790 | 1 Jsite | 1 Jsite | 2025-10-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical has been found in baseweb JSite 1.0. This affects an unknown part of the file /druid/index.html of the component Apache Druid Monitoring Console. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0628 | 2025-10-15 | N/A | 8.1 HIGH | ||
| An improper authorization vulnerability exists in the main-latest version of BerriAI/litellm. When a user with the role 'internal_user_viewer' logs into the application, they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application, including endpoints such as '/users/list' and '/users/get_users'. This vulnerability allows for privilege escalation within the application, enabling any account to become a PROXY ADMIN. | |||||
| CVE-2025-10422 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-10-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | |||||
| CVE-2025-11554 | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited permissions. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-11641 | 2025-10-14 | 3.7 LOW | 3.9 LOW | ||
| A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. This impacts an unknown function of the component Trial Restriction Handler. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The attack is considered to have high complexity. The exploitability is said to be difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-11646 | 2025-10-14 | 5.8 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was detected in Tomofun Furbo 360 and Furbo Mini. This vulnerability affects unknown code of the component GATT Service. The manipulation results in improper access controls. The attack can only be performed from the local network. The exploit is now public and may be used. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10389 | 1 Crmeb | 1 Crmeb | 2025-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10390 | 1 Crmeb | 1 Crmeb | 2025-10-14 | 5.5 MEDIUM | 5.4 MEDIUM |
| A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-23260 | 1 Nvidia | 1 Aistore On Kubernetes | 2025-10-14 | N/A | 5.0 MEDIUM |
| NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure. | |||||
| CVE-2024-45187 | 1 Mage | 1 Mage-ai | 2025-10-10 | N/A | 7.1 HIGH |
| Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server | |||||
| CVE-2025-4017 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This vulnerability affects the function list of the file nnovel-admin/src/main/java/com/java2nb/common/controller/LogController.java. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-2089 | 1 Starsea99 | 1 Starsea-mall | 2025-10-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability has been found in StarSea99 starsea-mall 1.0/2.X and classified as critical. Affected by this vulnerability is the function updateUserInfo of the file /personal/updateInfo of the component com.siro.mall.controller.mall.UserController. The manipulation of the argument userId leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-10384 | 1 Ruoyi | 1 Ruoyi | 2025-10-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw has been found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/cancelAll of the component Role Handler. Executing manipulation of the argument roleId/userIds can lead to improper authorization. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4819 | 1 Ruoyi | 1 Ruoyi | 2025-10-10 | 2.1 LOW | 3.1 LOW |
| A vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3564 | 1 Huanfenz | 1 Studentmanager | 2025-10-10 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in huanfenz/code-projects StudentManager up to 1.0. This affects an unknown part of the component Teacher String Handler. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-40433 | 1 Tencent | 1 Wechat | 2025-10-10 | N/A | 8.8 HIGH |
| Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component. | |||||