Total
5684 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1744 | 2 Accordors, Ariva Computer | 2 Accord Ors, Accord Ors | 2025-10-14 | 7.5 High |
| Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Ariva Computer Accord ORS allows Retrieve Embedded Sensitive Data.This issue affects Accord ORS: before 7.3.2.1. | ||||
| CVE-2024-1662 | 1 Porty | 2 Powerbank, Powerbank Application | 2025-10-14 | 7.5 High |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02. | ||||
| CVE-2024-38002 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-10-13 | 9 Critical |
| The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. | ||||
| CVE-2025-1084 | 1 Mindskip | 1 Xzs-mysql | 2025-10-10 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-40667 | 1 Tcman | 1 Gim | 2025-10-10 | 6.5 Medium |
| Missing authorization vulnerability in TCMAN's GIM v11. This allows an authenticated attacker to access any functionality of the application even when they are not available through the user interface. To exploit the vulnerability the attacker must modify the HTTP code of the response from ‘302 Found’ to ‘200 OK’, as well as the hidden fields hdnReadOnly and hdnUserLogin. | ||||
| CVE-2025-6106 | 1 72crm | 1 Wukong Crm | 2025-10-10 | 4.3 Medium |
| A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3561 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2025-10-10 | 4.3 Medium |
| A vulnerability was found in ghostxbh uzy-ssm-mall 1.0.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-34146 | 1 Jenkins | 1 Git Server | 2025-10-10 | 6.5 Medium |
| Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories. | ||||
| CVE-2024-52550 | 2 Jenkins, Redhat | 3 Groovy, Pipeline\, Ocp Tools | 2025-10-10 | 8 High |
| Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. | ||||
| CVE-2024-52549 | 2 Jenkins, Redhat | 2 Script Security, Ocp Tools | 2025-10-10 | 4.3 Medium |
| Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. | ||||
| CVE-2024-44069 | 1 Pi-hole | 1 Pi-hole | 2025-10-10 | 7.5 High |
| Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear. | ||||
| CVE-2017-6369 | 1 Firebirdsql | 1 Firebird | 2025-10-10 | 8.8 High |
| Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so. | ||||
| CVE-2025-51308 | 1 Gatling | 1 Gatling | 2025-10-09 | 5.3 Medium |
| In Gatling Enterprise versions below 1.25.0, a low-privileged user that does not hold the role "admin" could perform a REST API call on read-only endpoints, allowing him to collect some information, due to missing authorization checks. | ||||
| CVE-2025-11439 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.3 Medium |
| A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-11438 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.3 Medium |
| A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue. | ||||
| CVE-2025-11442 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.3 Medium |
| A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access. | ||||
| CVE-2025-3257 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 4.3 Medium |
| A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10352 | 1 Melistechnology | 1 Melis Platform | 2025-10-09 | N/A |
| Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'. | ||||
| CVE-2023-6394 | 2 Quarkus, Redhat | 3 Quarkus, Build Of Quarkus, Quarkus | 2025-10-09 | 7.4 High |
| A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. | ||||
| CVE-2023-5056 | 1 Redhat | 2 Enterprise Linux, Service Interconnect | 2025-10-09 | 6.8 Medium |
| A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview. | ||||