Total
2061 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56431 | 1 Xiph | 1 Theora | 2025-04-25 | N/A | 9.8 CRITICAL |
| oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash. | |||||
| CVE-2025-3647 | 2025-04-25 | N/A | 4.3 MEDIUM | ||
| A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. | |||||
| CVE-2025-3645 | 2025-04-25 | N/A | 4.3 MEDIUM | ||
| A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. | |||||
| CVE-2025-3644 | 2025-04-25 | N/A | 4.3 MEDIUM | ||
| A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. | |||||
| CVE-2025-3861 | 2025-04-25 | N/A | 5.4 MEDIUM | ||
| The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media. | |||||
| CVE-2025-46544 | 2025-04-25 | N/A | 6.4 MEDIUM | ||
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | |||||
| CVE-2024-42451 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | N/A | 6.5 MEDIUM |
| A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform. | |||||
| CVE-2024-42452 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | N/A | 8.8 HIGH |
| A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise. | |||||
| CVE-2024-45204 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-04-24 | N/A | 4.3 MEDIUM |
| A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial target and potentially leading to broader security vulnerabilities. | |||||
| CVE-2025-43921 | 1 Gnu | 1 Mailman | 2025-04-24 | N/A | 5.3 MEDIUM |
| GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. | |||||
| CVE-2022-44039 | 1 Franklinfueling | 1 Colibri Firmware | 2025-04-24 | N/A | 9.8 CRITICAL |
| Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ¶¶ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password. | |||||
| CVE-2025-41423 | 2025-04-24 | N/A | 3.1 LOW | ||
| Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions. | |||||
| CVE-2025-26853 | 1 Descor | 1 Infocad | 2025-04-23 | N/A | 10.0 CRITICAL |
| DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 has a broken authorization schema. | |||||
| CVE-2023-4269 | 1 Solwininfotech | 1 User Activity Log | 2025-04-23 | N/A | 4.3 MEDIUM |
| The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses. | |||||
| CVE-2022-46792 | 1 Hasura | 1 Graphql Engine | 2025-04-23 | N/A | 8.8 HIGH |
| Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.) | |||||
| CVE-2024-10306 | 2025-04-23 | N/A | 5.4 MEDIUM | ||
| A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic. | |||||
| CVE-2025-43922 | 2025-04-23 | N/A | 8.1 HIGH | ||
| The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM. | |||||
| CVE-2024-12862 | 2025-04-23 | N/A | N/A | ||
| Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4. | |||||
| CVE-2022-45956 | 1 Boa | 1 Boa | 2025-04-22 | N/A | 5.3 MEDIUM |
| Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism. | |||||
| CVE-2022-45760 | 1 Sens Project | 1 Sens | 2025-04-22 | N/A | 8.8 HIGH |
| SENS v1.0 is vulnerable to Incorrect Access Control vulnerability. | |||||