Total
5718 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1891 | 1 Qzw1210 | 1 Shishuocms | 2025-08-28 | 4.3 Medium |
| A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-39546 | 1 Juniper | 1 Junos Os Evolved | 2025-08-27 | 7.3 High |
| A Missing Authorization vulnerability in the Socket Intercept (SI) command file interface of Juniper Networks Junos OS Evolved allows an authenticated, low-privilege local attacker to modify certain files, allowing the attacker to cause any command to execute with root privileges leading to privilege escalation ultimately compromising the system. This issue affects Junos OS Evolved: * All versions prior to 21.2R3-S8-EVO, * 21.4 versions prior to 21.4R3-S6-EVO, * 22.1 versions prior to 22.1R3-S5-EVO, * 22.2 versions prior to 22.2R3-S3-EVO, * 22.3 versions prior to 22.3R3-S3-EVO, * 22.4 versions prior to 22.4R3-EVO, * 23.2 versions prior to 23.2R2-EVO. | ||||
| CVE-2025-8992 | 2 Mblog Project, Mtons | 2 Mblog, Mblog | 2025-08-27 | 4.3 Medium |
| A vulnerability has been found in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-10824 | 1 Github | 1 Enterprise Server | 2025-08-27 | 6.5 Medium |
| An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed unauthorized internal users to access sensitive secret scanning alert data intended only for business owners. This issue could be exploited only by organization members with a personal access token (PAT) and required that secret scanning be enabled on user-owned repositories. This vulnerability affected GitHub Enterprise Server versions after 3.13.0 but prior to 3.14.0 and was fixed in version 3.13.2. | ||||
| CVE-2024-5570 | 2 Tobias Cichon, Zitscher | 2 Simple Photoswipe, Simple Photoswipe | 2025-08-27 | 6.5 Medium |
| The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them | ||||
| CVE-2024-12812 | 1 Wedevs | 1 Wp Erp | 2025-08-27 | 7.5 High |
| The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees. | ||||
| CVE-2024-8860 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2025-08-27 | 4.3 Medium |
| The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively. | ||||
| CVE-2025-48108 | 1 Wordpress | 1 Wordpress | 2025-08-27 | 6.5 Medium |
| Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0. | ||||
| CVE-2024-43090 | 1 Google | 1 Android | 2025-08-26 | 5 Medium |
| In multiple locations, there is a possible cross-user image read due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-7717 | 1 File Download Project | 1 File Download | 2025-08-26 | 7.5 High |
| Missing Authorization vulnerability in Drupal File Download allows Forceful Browsing.This issue affects File Download: from 0.0.0 before 1.9.0, from 2.0.0 before 2.0.1. | ||||
| CVE-2025-2506 | 2025-08-26 | 5.3 Medium | ||
| When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol. | ||||
| CVE-2024-22151 | 1 Codection | 1 Import And Export Users And Customers | 2025-08-26 | 5.3 Medium |
| Missing Authorization vulnerability in Codection Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.24.6. | ||||
| CVE-2025-45854 | 1 Jehc | 1 Jehc-bpm | 2025-08-26 | 10 Critical |
| /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams. | ||||
| CVE-2025-27505 | 2 Geoserver, Osgeo | 2 Geoserver, Geoserver | 2025-08-26 | 5.3 Medium |
| GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer. | ||||
| CVE-2025-24021 | 1 Combodo | 1 Itop | 2025-08-26 | 5 Medium |
| iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | ||||
| CVE-2025-7828 | 1 Wordpress | 1 Wordpress | 2025-08-25 | 4.3 Medium |
| The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds. | ||||
| CVE-2025-7821 | 1 Wordpress | 1 Wordpress | 2025-08-25 | 5.3 Medium |
| The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base. | ||||
| CVE-2025-7827 | 3 Anzia, Woocommerce, Wordpress | 3 Ni Woocommerce Customer Product Report, Woocommerce, Wordpress | 2025-08-25 | 4.3 Medium |
| The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. | ||||
| CVE-2025-20302 | 1 Cisco | 2 Firepower Management Center, Secure Firewall Management Center | 2025-08-25 | 4.3 Medium |
| A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to retrieve a generated report from a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this vulnerability by directly accessing a generated report file for a different domain that is managed on the same Cisco Secure FMC instance. A successful exploit could allow the attacker to access a previously run report for a different domain, which could allow an attacker to read activity recorded in that domain. | ||||
| CVE-2025-20301 | 1 Cisco | 2 Firepower Management Center, Secure Firewall Management Center | 2025-08-25 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to access troubleshoot files for a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this vulnerability by directly accessing a troubleshoot file for a different domain that is managed on the same Cisco Secure FMC instance. A successful exploit could allow the attacker to retrieve a troubleshoot file for a different domain, which could allow the attacker to access sensitive information contained in the troubleshoot file. | ||||