Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-10062 | 2025-09-02 | N/A | N/A | ||
| A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server. | |||||
| CVE-2025-7405 | 2025-09-02 | N/A | 7.3 HIGH | ||
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to read or write the device values of the product and stop the operation of the programs, since MODBUS/TCP in the products does not have authentication features. | |||||
| CVE-2024-4332 | 2025-08-29 | N/A | N/A | ||
| An authentication bypass vulnerability has been identified in the REST and SOAP API components of Tripwire Enterprise (TE) 9.1.0 when TE is configured to use LDAP/Active Directory SAML authentication and its optional "Auto-synchronize LDAP Users, Roles, and Groups" feature is enabled. This vulnerability allows unauthenticated attackers to bypass authentication if a valid username is known. Exploitation of this vulnerability could allow remote attackers to gain privileged access to the APIs and lead to unauthorized information disclosure or modification. | |||||
| CVE-2025-8450 | 2025-08-29 | N/A | 8.2 HIGH | ||
| Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page. | |||||
| CVE-2025-8861 | 2025-08-29 | N/A | 9.8 CRITICAL | ||
| TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents. | |||||
| CVE-2025-30037 | 2025-08-29 | N/A | N/A | ||
| The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp. | |||||
| CVE-2025-30039 | 2025-08-29 | N/A | N/A | ||
| Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges. | |||||
| CVE-2025-30041 | 2025-08-29 | N/A | N/A | ||
| The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs. | |||||
| CVE-2025-30048 | 2025-08-29 | N/A | N/A | ||
| The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication. | |||||
| CVE-2025-30040 | 2025-08-29 | N/A | N/A | ||
| The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint. | |||||
| CVE-2024-41968 | 2025-08-27 | N/A | 5.4 MEDIUM | ||
| A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS. | |||||
| CVE-2024-41967 | 2025-08-27 | N/A | 8.1 HIGH | ||
| A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack. | |||||
| CVE-2024-37303 | 1 Matrix | 1 Synapse | 2025-08-26 | N/A | 5.3 MEDIUM |
| Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. | |||||
| CVE-2025-53118 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
| An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM. | |||||
| CVE-2022-43110 | 2025-08-25 | N/A | 9.8 CRITICAL | ||
| Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | |||||
| CVE-2025-41689 | 2025-08-25 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can get access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data. | |||||
| CVE-2025-8610 | 1 Aomei | 1 Cyber Backup | 2025-08-25 | N/A | 9.8 CRITICAL |
| AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the StorageNode service, which listens on TCP port 9075 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26156. | |||||
| CVE-2025-8611 | 1 Aomeitech | 1 Cyber Backup | 2025-08-22 | N/A | 9.8 CRITICAL |
| AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DaoService service, which listens on TCP port 9074 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26158. | |||||
| CVE-2025-47870 | 2025-08-22 | N/A | 4.3 MEDIUM | ||
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id. | |||||
| CVE-2025-27214 | 2025-08-22 | N/A | 9.8 CRITICAL | ||
| A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later | |||||