Total
1731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3279 | 1 Mintplexlabs | 1 Anythingllm | 2025-10-15 | N/A | 9.1 CRITICAL |
| An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation. | |||||
| CVE-2024-12869 | 1 Infiniflow | 1 Ragflow | 2025-10-15 | N/A | 4.3 MEDIUM |
| In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite list. This can lead to a privacy breach where users' personal or private information, such as email addresses or usernames in the invite list, could be exposed without their consent. This data leakage can facilitate further attacks, such as phishing or spam, and result in loss of trust and potential regulatory issues. | |||||
| CVE-2025-57432 | 1 Blackmagicdesign | 4 Web Presenter 4k, Web Presenter 4k Firmware, Web Presenter Hd and 1 more | 2025-10-14 | N/A | 9.8 CRITICAL |
| Blackmagic Web Presenter version 3.3 exposes a Telnet service on port 9977 that accepts unauthenticated commands. This service allows remote attackers to manipulate stream settings, including changing video modes and possibly altering device functionality. No credentials or authentication mechanisms are required to interact with the Telnet interface. | |||||
| CVE-2025-11198 | 2025-10-14 | N/A | 7.4 HIGH | ||
| A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does not affect Junos Space Security Director Insights. | |||||
| CVE-2025-35050 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Newforma Info Exchange (NIX) accepts serialized .NET data via the '/remoteweb/remote.rem' endpoint, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. The vulnerable endpoint is used by Newforma Project Center Server (NPCS), so a compromised NIX system can be used to attack an associated NPCS system. To mitigate this vulnerability, restrict network access to the '/remoteweb/remote.rem' endpoint, for example using the IIS URL Rewrite Module. | |||||
| CVE-2025-61928 | 2025-10-14 | N/A | N/A | ||
| Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue. | |||||
| CVE-2025-35051 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Newforma Project Center Server (NPCS) accepts serialized .NET data via the '/ProjectCenter.rem' endpoint on 9003/tcp, allowing a remote, unauthenticated attacker to execute arbitrary code with 'NT AUTHORITY\NetworkService' privileges. According to the recommended architecture, the vulnerable NPCS endpoint is only accessible on an internal network. To mitigate this vulnerability, restrict network access to NPCS. | |||||
| CVE-2025-40771 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0) (All versions < V2.4.24). Affected devices do not properly authenticate configuration connections. This could allow an unauthenticated remote attacker to access the configuration data. | |||||
| CVE-2025-7328 | 2025-10-14 | N/A | N/A | ||
| Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore. | |||||
| CVE-2025-11672 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain user group names. | |||||
| CVE-2025-11671 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain information such as account names and IP addresses. | |||||
| CVE-2025-41703 | 2025-10-14 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can cause a Denial of Service by turning off the output of the UPS via Modbus command. | |||||
| CVE-2025-23356 | 2025-10-14 | N/A | 8.4 HIGH | ||
| NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | |||||
| CVE-2025-59358 | 1 Chaos-mesh | 1 Chaos Mesh | 2025-10-14 | N/A | 7.5 HIGH |
| The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | |||||
| CVE-2024-8074 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users.This issue affects Nomysem: before 13.10.2024. | |||||
| CVE-2024-7015 | 1 Profelis | 1 Passbox | 2025-10-14 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse.This issue affects PassBox: before v1.2. | |||||
| CVE-2024-6406 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data.This issue affects Mobile Library Application: before 5.0. | |||||
| CVE-2024-4428 | 1 Menulux | 1 Managment Portal | 2025-10-14 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users.This issue affects Managment Portal: through 21.05.2024. | |||||
| CVE-2024-1662 | 1 Porty | 1 Powerbank | 2025-10-14 | N/A | 7.5 HIGH |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02. | |||||
| CVE-2024-0949 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |||||