Total
3976 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-43328 | 1 Apple | 1 Macos | 2025-09-30 | N/A | 3.3 LOW |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | |||||
| CVE-2025-43332 | 1 Apple | 1 Macos | 2025-09-30 | N/A | 5.2 MEDIUM |
| A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to break out of its sandbox. | |||||
| CVE-2024-36241 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 3.1 LOW |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command | |||||
| CVE-2024-34152 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper access control which allows a guest to get the metadata of a public playbook run that linked to the channel they are guest via sending an RHSRuns GraphQL query request to the server | |||||
| CVE-2024-32045 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 5.9 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access controls for channel and team membership when linking a playbook run to a channel which allows members to link their runs to private channels they were not members of. | |||||
| CVE-2024-31859 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin | |||||
| CVE-2025-11136 | 2025-09-29 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A flaw has been found in YiFang CMS up to 2.0.2. The impacted element is the function webUploader of the file app/app/controller/File.php of the component Backend. Executing manipulation of the argument uploadpath can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-10093 | 1 Dlink | 2 Dir-852, Dir-852 Firmware | 2025-09-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-48869 | 1 Horilla | 1 Horilla | 2025-09-29 | N/A | 7.5 HIGH |
| Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch. | |||||
| CVE-2024-28016 | 1 Nec | 118 Aterm Cr2500p, Aterm Cr2500p Firmware, Aterm Mr01ln and 115 more | 2025-09-29 | N/A | 6.0 MEDIUM |
| Improper Access Controlvulnerability in NEC Corporation Aterm WG1800HP4, WG1200HS3, WG1900HP2, WG1200HP3, WG1800HP3, WG1200HS2, WG1900HP, WG1200HP2, W1200EX(-MS), WG1200HS, WG1200HP, WF300HP2, W300P, WF800HP, WR8165N, WG2200HP, WF1200HP2, WG1800HP2, WF1200HP, WG600HP, WG300HP, WF300HP, WG1800HP, WG1400HP, WR8175N, WR9300N, WR8750N, WR8160N, WR9500N, WR8600N, WR8370N, WR8170N, WR8700N, WR8300N, WR8150N, WR4100N, WR4500N, WR8100N, WR8500N, CR2500P, WR8400N, WR8200N, WR1200H, WR7870S, WR6670S, WR7850S, WR6650S, WR6600H, WR7800H, WM3400RN, WM3450RN, WM3500R, WM3600R, WM3800R, WR8166N, MR01LN MR02LN, WG1810HP(JE) and WG1810HP(MF) all versions allows a attacker to get device informations via the internet. | |||||
| CVE-2025-46589 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 4.4 MEDIUM |
| Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | |||||
| CVE-2025-46588 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 4.4 MEDIUM |
| Vulnerability of unauthorized access in the app lock module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | |||||
| CVE-2025-30438 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-09-26 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved access restrictions. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to dismiss the system notification on the Lock Screen that a recording was started. | |||||
| CVE-2025-10957 | 2025-09-26 | N/A | N/A | ||
| This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP connection using default credentials, potentially gaining unauthorized access to configuration files, user credentials, or other sensitive information stored on the targeted device. | |||||
| CVE-2025-10952 | 2025-09-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stream_handler of the file ml_logger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-20316 | 2025-09-26 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software for Cisco Catalyst 9500X and 9600X Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL on an affected device. This vulnerability is due to the flooding of traffic from an unlearned MAC address on a switch virtual interface (SVI) that has an egress ACL applied. An attacker could exploit this vulnerability by causing the VLAN to flush its MAC address table. This condition can also occur if the MAC address table is full. A successful exploit could allow the attacker to bypass an egress ACL on an affected device. | |||||
| CVE-2023-31100 | 1 Phoenixtech | 1 Securecore Technology | 2025-09-25 | N/A | 8.4 HIGH |
| Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138 | |||||
| CVE-2025-23329 | 3 Linux, Microsoft, Nvidia | 3 Linux Kernel, Windows, Triton Inference Server | 2025-09-25 | N/A | 7.5 HIGH |
| NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause memory corruption by identifying and accessing the shared memory region used by the Python backend. A successful exploit of this vulnerability might lead to denial of service. | |||||
| CVE-2024-56883 | 1 Sagedpw | 1 Sage Dpw | 2025-09-25 | N/A | 8.1 HIGH |
| Sage DPW before 2024_12_001 is vulnerable to Incorrect Access Control. The implemented role-based access controls are not always enforced on the server side. Low-privileged Sage users with employee role privileges can create external courses for other employees, even though they do not have the option to do so in the user interface. To do this, a valid request to create a course simply needs to be modified, so that the current user ID in the "id" parameter is replaced with the ID of another user. | |||||
| CVE-2022-36923 | 1 Zohocorp | 7 Manageengine Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Network Configuration Manager and 4 more | 2025-09-24 | N/A | 7.5 HIGH |
| Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs. | |||||