Total
3920 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41110 | 2025-10-22 | N/A | N/A | ||
| Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment. | |||||
| CVE-2025-41108 | 2025-10-22 | N/A | N/A | ||
| The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authentication mechanisms in the communication protocol allows an attacker to capture legitimate traffic between the robot and the controller, replicate it, and send any valid command to the robot from any attacking computer or device. The communication protocol used in this interface is based on MAVLink, a widely documented protocol, which increases the likelihood of attack. There are two methods for connecting to the robot remotely: Wi-Fi and 4G/LTE. | |||||
| CVE-2025-56447 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
| TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure. | |||||
| CVE-2025-60772 | 2025-10-22 | N/A | 9.8 CRITICAL | ||
| Improper authentication in the web-based management interface of NETLINK HG322G V1.0.00-231017, allows a remote unauthenticated attacker to escalate privileges and lock out the legitimate administrator via crafted HTTP requests. | |||||
| CVE-2013-0625 | 4 Adobe, Apple, Microsoft and 1 more | 4 Coldfusion, Mac Os X, Windows and 1 more | 2025-10-22 | 6.8 MEDIUM | 9.8 CRITICAL |
| Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013. | |||||
| CVE-2023-28461 | 1 Arraynetworks | 14 Ag1000, Ag1000t, Ag1000v5 and 11 more | 2025-10-22 | N/A | 9.8 CRITICAL |
| Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon." | |||||
| CVE-2022-40684 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiswitchmanager | 2025-10-22 | N/A | 9.8 CRITICAL |
| An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. | |||||
| CVE-2022-23134 | 3 Debian, Fedoraproject, Zabbix | 3 Debian Linux, Fedora, Zabbix | 2025-10-22 | 5.0 MEDIUM | 3.7 LOW |
| After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. | |||||
| CVE-2021-39226 | 2 Fedoraproject, Grafana | 2 Fedora, Grafana | 2025-10-22 | 6.8 MEDIUM | 9.8 CRITICAL |
| Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects. | |||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | |||||
| CVE-2021-32648 | 1 Octobercms | 1 October | 2025-10-22 | 6.4 MEDIUM | 8.2 HIGH |
| octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. | |||||
| CVE-2021-32030 | 1 Asus | 4 Gt-ac2900, Gt-ac2900 Firmware, Lyra Mini and 1 more | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_384_46630 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_check in web_hook.o. An attacker-supplied value of '\0' matches the device's default value of '\0' in some situations. Note: All versions of Lyra Mini and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability, Consumers can mitigate this vulnerability by disabling the remote access features from WAN. | |||||
| CVE-2021-22893 | 1 Ivanti | 1 Connect Secure | 2025-10-22 | 7.5 HIGH | 10.0 CRITICAL |
| Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild. | |||||
| CVE-2020-8196 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2025-10-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | |||||
| CVE-2020-8193 | 1 Citrix | 11 4000-wo, 4100-wo, 5000-wo and 8 more | 2025-10-22 | 5.0 MEDIUM | 6.5 MEDIUM |
| Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints. | |||||
| CVE-2020-5849 | 1 Unraid | 1 Unraid | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| Unraid 6.8.0 allows authentication bypass. | |||||
| CVE-2020-4427 | 1 Ibm | 1 Data Risk Manager | 2025-10-22 | 9.0 HIGH | 9.8 CRITICAL |
| IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532. | |||||
| CVE-2020-12812 | 1 Fortinet | 1 Fortios | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. | |||||
| CVE-2020-0688 | 1 Microsoft | 1 Exchange Server | 2025-10-22 | 9.0 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | |||||