Total
5667 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62978 | 1 Wordpress | 1 Wordpress | 2025-10-27 | 4.3 Medium |
| Missing Authorization vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiotViet Sync: from n/a through <= 1.8.5. | ||||
| CVE-2025-62964 | 1 Wordpress | 1 Wordpress | 2025-10-27 | 8.1 High |
| Missing Authorization vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MDTF: from n/a through <= 1.3.4. | ||||
| CVE-2025-62965 | 2 Admin Management Xtended Project, Wordpress | 2 Admin Management Xtended, Wordpress | 2025-10-27 | 7.2 High |
| Missing Authorization vulnerability in wpseek Admin Management Xtended admin-management-xtended allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin Management Xtended : from n/a through <= 2.5.1. | ||||
| CVE-2025-62977 | 1 Wordpress | 1 Wordpress | 2025-10-27 | 5.3 Medium |
| Missing Authorization vulnerability in 沃之涛 百度站长SEO合集(支持百度/神马/Bing/头条推送) baiduseo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 百度站长SEO合集(支持百度/神马/Bing/头条推送): from n/a through <= 2.1.3. | ||||
| CVE-2025-62966 | 1 Wordpress | 1 Wordpress | 2025-10-27 | 5.4 Medium |
| Missing Authorization vulnerability in Apiki GoCache gocache-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoCache: from n/a through <= 1.3.6. | ||||
| CVE-2025-62973 | 2 Themekraft, Wordpress | 2 Buddyforms, Wordpress | 2025-10-27 | 5.3 Medium |
| Missing Authorization vulnerability in Themekraft BuddyForms buddyforms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyForms: from n/a through <= 2.9.0. | ||||
| CVE-2025-59461 | 1 Sick | 1 Tloc100-100 | 2025-10-27 | 7.6 High |
| A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services. | ||||
| CVE-2025-61755 | 1 Oracle | 1 Graalvm For Jdk | 2025-10-27 | 3.7 Low |
| Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). | ||||
| CVE-2025-11581 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-11580 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-42968 | 1 Sap | 1 Netweaver | 2025-10-27 | 5 Medium |
| SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | ||||
| CVE-2025-42986 | 1 Sap | 3 Abap Platform, Netweaver, Sap Basis | 2025-10-27 | 4.3 Medium |
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | ||||
| CVE-2025-62614 | 1 Booklore | 1 Booklore | 2025-10-27 | N/A |
| BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF/CBX page content without authorization. The vulnerability exists because multiple media endpoints lack proper access control annotations, and the CoverJwtFilter continues request processing even when no authentication token is provided. This enables attackers to enumerate and exfiltrate all book content from the system, bypassing the intended download permissions (canDownload) entirely. This issue has been patched via commit b226c43. | ||||
| CVE-2025-62256 | 1 Liferay | 2 Dxp, Portal | 2025-10-27 | N/A |
| Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers to access the OpenAPI YAML file via a crafted URL. | ||||
| CVE-2021-39226 | 3 Fedoraproject, Grafana, Redhat | 5 Fedora, Grafana, Enterprise Linux and 2 more | 2025-10-24 | 9.8 Critical |
| Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects. | ||||
| CVE-2025-61751 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2025-10-24 | 8.1 High |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2025-22178 | 1 Atlassian | 1 Jira Align | 2025-10-24 | 4.3 Medium |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page. | ||||
| CVE-2021-37976 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-10-24 | 6.5 Medium |
| Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | ||||
| CVE-2025-62021 | 1 Wordpress | 1 Wordpress | 2025-10-24 | 4.3 Medium |
| Missing Authorization vulnerability in Made Neat Acknowledgify acknowledgify.This issue affects Acknowledgify: from n/a through <= 1.1.3. | ||||
| CVE-2025-62019 | 2 Wordpress, Wpzoom | 2 Wordpress, Recipe Card Blocks For Gutenberg & Elementor | 2025-10-24 | 6.5 Medium |
| Missing Authorization vulnerability in WPZOOM Recipe Card Blocks for Gutenberg & Elementor recipe-card-blocks-by-wpzoom.This issue affects Recipe Card Blocks for Gutenberg & Elementor: from n/a through <= 3.4.8. | ||||