Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6287 | 1 Sap | 1 Netweaver Application Server Java | 2025-10-31 | 10.0 HIGH | 10.0 CRITICAL |
| SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. | |||||
| CVE-2024-11680 | 1 Projectsend | 1 Projectsend | 2025-10-31 | N/A | 9.8 CRITICAL |
| ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. | |||||
| CVE-2021-37415 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |||||
| CVE-2021-44077 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | |||||
| CVE-2020-3952 | 1 Vmware | 1 Vcenter Server | 2025-10-30 | 6.8 MEDIUM | 9.8 CRITICAL |
| Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. | |||||
| CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2025-10-30 | 4.3 MEDIUM | 8.1 HIGH |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2025-41110 | 1 Ghostrobotics | 2 Vision 60, Vision 60 Firmware | 2025-10-30 | N/A | 8.8 HIGH |
| Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment. | |||||
| CVE-2025-41090 | 2025-10-30 | N/A | N/A | ||
| microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually. This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations. | |||||
| CVE-2025-12477 | 2025-10-30 | N/A | N/A | ||
| Server Version Disclosure.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . | |||||
| CVE-2025-12476 | 2025-10-30 | N/A | N/A | ||
| Resource Lacking AuthN.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . | |||||
| CVE-2025-61777 | 1 Flagforge | 1 Flagforge | 2025-10-30 | N/A | 9.4 CRITICAL |
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | |||||
| CVE-2025-62586 | 1 Opexustech | 1 Foiaxpress | 2025-10-29 | N/A | 9.8 CRITICAL |
| OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0. | |||||
| CVE-2025-7328 | 1 Rockwellautomation | 2 1783-natr, 1783-natr Firmware | 2025-10-29 | N/A | 9.8 CRITICAL |
| Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore. | |||||
| CVE-2025-53034 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2025-10-28 | N/A | 5.4 MEDIUM |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). | |||||
| CVE-2025-26359 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 9.8 CRITICAL |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. | |||||
| CVE-2025-26360 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 5.3 MEDIUM |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | |||||
| CVE-2025-26361 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 9.1 CRITICAL |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | |||||
| CVE-2025-26362 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | |||||
| CVE-2025-26363 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | |||||
| CVE-2025-26364 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | |||||