Total
3930 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9533 | 1 Totolink | 2 T10, T10 Firmware | 2025-09-03 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in TOTOLINK T10 4.1.8cu.5241_B20210927. Affected is an unknown function of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9100 | 1 Zhenfeng13 | 1 My-blog | 2025-09-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in zhenfeng13 My-Blog 1.0.0. This vulnerability affects unknown code of the file /blog/comment of the component Frontend Blog Article Comment Handler. The manipulation leads to authentication bypass by capture-replay. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-8546 | 1 Pybbs Project | 1 Pybbs | 2025-09-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. This affects the function adminlogin/login of the component Verification Code Handler. The manipulation leads to guessable captcha. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named ecaf8d46944fd03e3c4ea05698f8acf0aaa570cf. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-5658 | 1 Born05 | 1 Two-factor Authentication | 2025-09-03 | N/A | 4.8 MEDIUM |
| The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. | |||||
| CVE-2024-57432 | 1 Macrozheng | 1 Mall-tiny | 2025-09-02 | N/A | 7.5 HIGH |
| macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it is possible to forge the JWT of any user to achieve authentication bypass. | |||||
| CVE-2025-3061 | 1 Material Admin Project | 1 Material Admin | 2025-09-02 | N/A | 6.6 MEDIUM |
| Vulnerability in Drupal Material Admin.This issue affects Material Admin: *.*. | |||||
| CVE-2025-3062 | 1 Admin Lte Theme Project | 1 Admin Lte Theme | 2025-09-02 | N/A | 6.6 MEDIUM |
| Vulnerability in Drupal Drupal Admin LTE theme.This issue affects Drupal Admin LTE theme: *.*. | |||||
| CVE-2025-52856 | 2025-09-02 | N/A | N/A | ||
| An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later | |||||
| CVE-2025-7955 | 2025-08-29 | N/A | 9.8 CRITICAL | ||
| The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes. | |||||
| CVE-2024-13309 | 1 Login Disable Project | 1 Login Disable | 2025-08-28 | N/A | 5.4 MEDIUM |
| Improper Authentication vulnerability in Drupal Login Disable allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Disable: from 2.0.0 before 2.1.1. | |||||
| CVE-2025-7875 | 1 Metasoft | 1 Metacrm | 2025-08-27 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-08-27 | N/A | 9.9 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-6107 | 1 Canonical | 1 Metal As A Service | 2025-08-27 | N/A | 9.6 CRITICAL |
| Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps. | |||||
| CVE-2024-6174 | 1 Canonical | 1 Cloud-init | 2025-08-26 | N/A | 8.8 HIGH |
| When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration. | |||||
| CVE-2025-2339 | 1 Otale | 1 Tale Blog | 2025-08-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in otale Tale Blog 2.0.5. It has been classified as problematic. This affects an unknown part of the file /%61dmin/api/logs. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-49757 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 7.5 HIGH |
| The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way. Versions 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7 contain a patch. No known workarounds are available. | |||||
| CVE-2024-50644 | 2025-08-26 | N/A | 9.8 CRITICAL | ||
| zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | |||||
| CVE-2024-52786 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
| An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | |||||
| CVE-2024-50645 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
| MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | |||||
| CVE-2024-57491 | 2025-08-22 | N/A | 8.8 HIGH | ||
| Authentication Bypass vulnerability in jobx up to v1.0.1-RELEASE allows an attacker can exploit this vulnerability to access sensitive API without any token via the preHandle function. | |||||