Total
1482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41664 | 2025-09-08 | N/A | 7.5 HIGH | ||
| A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). This access could allow the attacker to escalate privileges and modify firmware. | |||||
| CVE-2024-12564 | 2025-09-08 | N/A | N/A | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation. | |||||
| CVE-2025-58372 | 2025-09-05 | N/A | 8.1 HIGH | ||
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution. This issue is fixed in version 3.26.0. | |||||
| CVE-2025-10059 | 2025-09-05 | N/A | 6.5 MEDIUM | ||
| An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6. | |||||
| CVE-2025-23257 | 2025-09-05 | N/A | 7.3 HIGH | ||
| NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges. | |||||
| CVE-2025-23258 | 2025-09-05 | N/A | 7.3 HIGH | ||
| NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges. | |||||
| CVE-2024-11584 | 1 Canonical | 1 Cloud-init | 2025-09-05 | N/A | 5.9 MEDIUM |
| cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands. | |||||
| CVE-2025-36193 | 2025-09-04 | N/A | 8.4 HIGH | ||
| IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image. | |||||
| CVE-2025-1139 | 1 Ibm | 1 Edge Application Manager | 2025-09-03 | N/A | 6.1 MEDIUM |
| IBM Edge Application Manager 4.5 could allow a local user to read or modify resources that they should not have authorization to access due to incorrect permission assignment. | |||||
| CVE-2012-10030 | 1 Freefloat | 1 Freefloat Ftp Server | 2025-09-03 | N/A | 9.8 CRITICAL |
| FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction. | |||||
| CVE-2022-34112 | 1 Dataease | 1 Dataease | 2025-09-03 | N/A | 6.5 MEDIUM |
| An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator. | |||||
| CVE-2025-0093 | 1 Google | 1 Android | 2025-09-02 | N/A | 7.5 HIGH |
| In handleBondStateChanged of AdapterService.java, there is a possible unapproved data access due to a missing permission check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-43268 | 1 Apple | 1 Macos | 2025-09-02 | N/A | 7.8 HIGH |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A malicious app may be able to gain root privileges. | |||||
| CVE-2025-5819 | 1 Gitlab | 1 Gitlab | 2025-08-29 | N/A | 5.0 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. | |||||
| CVE-2025-9578 | 2025-08-29 | N/A | 7.8 HIGH | ||
| Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734. | |||||
| CVE-2025-30063 | 2025-08-29 | N/A | N/A | ||
| The configuration file containing database logins and passwords is readable by any local user. | |||||
| CVE-2025-53396 | 2025-08-29 | N/A | 7.0 HIGH | ||
| Incorrect permission assignment for critical resource issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier), which may allow users who can log in to a client terminal to obtain root privileges. | |||||
| CVE-2025-43729 | 2025-08-29 | N/A | 7.8 HIGH | ||
| Dell ThinOS 10, versions prior to 2508_10.0127, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A local low-privileged attacker could potentially exploit this vulnerability leading to Elevation of Privileges and Unauthorized Access. | |||||
| CVE-2024-41974 | 2025-08-27 | N/A | 7.1 HIGH | ||
| A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resources which may lead to a DoS limited to BACNet communication. | |||||
| CVE-2024-41970 | 2025-08-27 | N/A | 5.7 MEDIUM | ||
| A low privileged remote attacker may gain access to forbidden diagnostic data due to incorrect permission assignment for critical resources. | |||||