Total
348 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11645 | 2 Google, Tomofun | 2 Android, Furbo Mobile App | 2025-10-23 | 2.4 Low |
| A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-33004 | 2 Sap, Sap Se | 2 Businessobjects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2025-10-23 | 4.3 Medium |
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2025-35054 | 1 Newforma | 2 Project Center, Project Center Server | 2025-10-22 | 5.3 Medium |
| Newforma Info Exchange (NIX) stores credentials used to configure NPCS in 'HKLM\Software\WOW6432Node\Newforma\<version>\Credentials'. The credentials are encrypted but the encryption key is stored in the same registry location. Authenticated users can access both the credentials and the encryption key. If these are Active Directory credentials, an attacker may be able to gain access to additional systems and resources. | ||||
| CVE-2025-25732 | 1 Kapsch | 4 Ris-9160, Ris-9160 Firmware, Ris-9260 and 1 more | 2025-10-22 | 6.8 Medium |
| Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root. | ||||
| CVE-2025-48929 | 1 Smarsh | 1 Telemessage | 2025-10-22 | 4 Medium |
| The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary. | ||||
| CVE-2025-60856 | 1 Reolink | 2 Reolink, Video Doorbell | 2025-10-21 | 6.8 Medium |
| Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier because of "certain restrictions on users privately connecting serial port cables" and because "the root user has a password and it meets the requirements of password security complexity." | ||||
| CVE-2024-3502 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2025-10-15 | 9.1 Critical |
| In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6. | ||||
| CVE-2024-39459 | 1 Jenkins | 1 Plain Credentials | 2025-10-10 | 4.3 Medium |
| In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials). | ||||
| CVE-2024-4995 | 2025-10-07 | 9.8 Critical | ||
| Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0. | ||||
| CVE-2025-34189 | 4 Apple, Linux, Printerlogic and 1 more | 6 Macos, Linux Kernel, Vasion Print and 3 more | 2025-10-02 | 7.8 High |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 (macOS/Linux client deployments) contain a vulnerability in the local inter-process communication (IPC) mechanism. The software stores IPC request and response files inside /opt/PrinterInstallerClient/tmp with world-readable and world-writable permissions. Any local user can craft malicious request files that are processed by privileged daemons, leading to unauthorized actions being executed in other user sessions. This breaks user session isolation, potentially allowing local attackers to hijack sessions, perform unintended actions in the context of other users, and impact system integrity and availability. This vulnerability has been identified by the vendor as: V-2022-004 — Client Inter-process Security. | ||||
| CVE-2025-46660 | 1 4cstrategies | 1 Exonaut | 2025-10-01 | 5.3 Medium |
| An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt. | ||||
| CVE-2024-23445 | 1 Elastic | 1 Elasticsearch | 2025-09-26 | 6.5 Medium |
| It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0 | ||||
| CVE-2025-2241 | 1 Redhat | 2 Acm, Multicluster Engine | 2025-09-25 | 8.2 High |
| A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation. | ||||
| CVE-2025-21041 | 2 Google, Samsung | 4 Android, Android, Mobile and 1 more | 2025-09-19 | 6.2 Medium |
| Insecure Storage of Sensitive Information in Secure Folder prior to Android 16 allows local attackers to access sensitive information. | ||||
| CVE-2024-32211 | 2 Logint, Lomag | 2 Lomag Warehouse Management, Warehouse Management | 2025-09-19 | 5.5 Medium |
| An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components. | ||||
| CVE-2024-22808 | 1 Tormach | 2 Pathpilot Controller, Xstech Cnc Router | 2025-09-15 | 7.5 High |
| An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router via overwriting the card's name in the device memory. | ||||
| CVE-2025-54083 | 1 Calix | 1 Gigacenter Ont | 2025-09-12 | N/A |
| Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. | ||||
| CVE-2025-21299 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-09-09 | 7.1 High |
| Windows Kerberos Security Feature Bypass Vulnerability | ||||
| CVE-2025-2157 | 1 Redhat | 1 Satellite | 2025-09-02 | 3.3 Low |
| A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively. | ||||
| CVE-2025-53507 | 2025-08-29 | N/A | ||
| Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status]. | ||||