Total
5660 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4520 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-10-15 | N/A | 7.5 HIGH |
| An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requiring any form of interaction between the users. Exploitation of this vulnerability could lead to data breaches, including the exposure of sensitive personal details, financial data, or confidential conversations. Additionally, it could facilitate identity theft and manipulation or fraud through the unauthorized access to users' chat histories. This issue is due to insufficient access control mechanisms in the application's handling of chat history data. | |||||
| CVE-2024-2292 | 2025-10-15 | N/A | 7.1 HIGH | ||
| Due to a lack of access control, unauthorized users are able to view and modify information pertaining to other users. | |||||
| CVE-2024-2035 | 1 Zenml | 1 Zenml | 2025-10-15 | N/A | 6.5 MEDIUM |
| An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application. | |||||
| CVE-2024-13060 | 1 Mintplexlabs | 1 Anythingllm Docker | 2025-10-15 | N/A | 4.3 MEDIUM |
| A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1. | |||||
| CVE-2024-10363 | 1 Librechat | 1 Librechat | 2025-10-15 | N/A | 5.4 MEDIUM |
| In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions. | |||||
| CVE-2024-10330 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.5 MEDIUM |
| In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive evaluation data. | |||||
| CVE-2024-10274 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.5 MEDIUM |
| An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This vulnerability can lead to the disclosure of sensitive information such as names, roles, or emails to users without sufficient privileges, resulting in privacy violations and potential reconnaissance for targeted attacks. | |||||
| CVE-2024-10272 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 7.5 HIGH |
| lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token. | |||||
| CVE-2025-8886 | 2025-10-14 | N/A | 6.7 MEDIUM | ||
| Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.This issue affects Aybs Interaktif: from 2024 through 28082025. | |||||
| CVE-2025-8593 | 2025-10-14 | N/A | 8.8 HIGH | ||
| The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions. | |||||
| CVE-2025-11380 | 2025-10-14 | N/A | 5.9 MEDIUM | ||
| The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'everest_process_status' AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location. | |||||
| CVE-2025-8682 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
| The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin. | |||||
| CVE-2025-8887 | 2025-10-14 | N/A | 6.1 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key, Missing Authorization, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Forceful Browsing, Parameter Injection, Input Data Manipulation.This issue affects Aybs Interaktif: from 2024 through 28082025. | |||||
| CVE-2025-10732 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
| The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings. | |||||
| CVE-2025-33182 | 2025-10-14 | N/A | 7.6 HIGH | ||
| NVIDIA Jetson Linux contains a vulnerability in UEFI, where improper authentication may allow a privileged user to cause corruption of the Linux Device Tree. A successful exploitation of this vulnerability might lead to data tampering, denial of service. | |||||
| CVE-2025-58334 | 1 Jetbrains | 1 Ide Services | 2025-10-14 | N/A | 8.1 HIGH |
| In JetBrains IDE Services before 2025.5.0.1086, 2025.4.2.2164 users without appropriate permissions could assign high-privileged role for themselves | |||||
| CVE-2024-8074 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users.This issue affects Nomysem: before 13.10.2024. | |||||
| CVE-2025-53959 | 1 Jetbrains | 1 Youtrack | 2025-10-14 | N/A | 7.6 HIGH |
| In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible | |||||
| CVE-2024-6406 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data.This issue affects Mobile Library Application: before 5.0. | |||||
| CVE-2024-4428 | 1 Menulux | 1 Managment Portal | 2025-10-14 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users.This issue affects Managment Portal: through 21.05.2024. | |||||