Total
2327 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38856 | 1 Apache | 1 Ofbiz | 2025-10-23 | N/A | 9.8 CRITICAL |
| Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). | |||||
| CVE-2024-41979 | 1 Siemens | 1 Opcenter Quality | 2025-10-23 | N/A | 7.1 HIGH |
| A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application. | |||||
| CVE-2025-4646 | 1 Centreon | 1 Centreon Web | 2025-10-22 | N/A | 7.2 HIGH |
| Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. | |||||
| CVE-2021-40655 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page | |||||
| CVE-2021-3560 | 4 Canonical, Debian, Polkit Project and 1 more | 7 Ubuntu Linux, Debian Linux, Polkit and 4 more | 2025-10-22 | 7.2 HIGH | 7.8 HIGH |
| It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2025-6892 | 2025-10-21 | N/A | N/A | ||
| An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be exploited after a legitimate user has logged in, as the system fails to properly validate session context or privilege boundaries. An attacker may leverage this flaw to perform unauthorized privileged operations. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems. | |||||
| CVE-2025-48044 | 2025-10-21 | N/A | N/A | ||
| Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d. | |||||
| CVE-2025-36546 | 1 F5 | 2 F5os-a, F5os-c | 2025-10-21 | N/A | 8.1 HIGH |
| On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-9955 | 1 Wso2 | 2 Enterprise Integrator, Enterprise Service Bus | 2025-10-21 | N/A | 5.7 MEDIUM |
| An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance. | |||||
| CVE-2025-10545 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | |||||
| CVE-2025-46265 | 1 F5 | 2 F5os-a, F5os-c | 2025-10-21 | N/A | 8.8 HIGH |
| On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-11340 | 1 Gitlab | 1 Gitlab | 2025-10-20 | N/A | 7.7 HIGH |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. | |||||
| CVE-2025-54267 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 6.5 MEDIUM |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-54265 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 5.9 MEDIUM |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-54263 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 8.1 HIGH |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-1214 | 1 Pihome | 1 Maxair | 2025-10-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-10611 | 2025-10-16 | N/A | 9.8 CRITICAL | ||
| Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations. | |||||
| CVE-2025-46544 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | N/A | 6.4 MEDIUM |
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | |||||
| CVE-2024-6592 | 1 Watchguard | 2 Authentication Gateway, Single Sign-on Client | 2025-10-15 | N/A | 9.1 CRITICAL |
| Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4. | |||||
| CVE-2024-45260 | 1 Gl-inet | 42 A1300, A1300 Firmware, Ar300m and 39 more | 2025-10-15 | N/A | 8.0 HIGH |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it. | |||||