Total
1618 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-45150 | 3 Langchain, Langchain-ai, X-d Lab | 3 Langchain, Langchain, Langchain-chatglm-webui | 2025-10-17 | 9.8 Critical |
| Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request. | ||||
| CVE-2025-45471 | 1 Lumigo | 1 Measure-cold-start | 2025-10-14 | 8.8 High |
| Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account. | ||||
| CVE-2025-45472 | 1 Lumigo | 1 Autodeploy-layer | 2025-10-14 | 8.8 High |
| Insecure permissions in autodeploy-layer v1.2.0 allows attackers to escalate privileges and compromise the customer cloud account. | ||||
| CVE-2025-2098 | 2025-10-03 | N/A | ||
| Fast CAD Reader application on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects Fast CAD ReaderĀ in possibly all versions since the vendor has not responded to our messages. The tested version was 4.1.5 | ||||
| CVE-2025-1413 | 2025-10-03 | N/A | ||
| DaVinci Resolve on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects DaVinci Resolve on MacOS in versionsĀ before 19.1.3. | ||||
| CVE-2025-36193 | 1 Ibm | 1 Transformation Advisor | 2025-09-29 | 8.4 High |
| IBM Transformation Advisor 2.0.1 through 4.3.1 incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Transformation Advisor Operator Catalog image. | ||||
| CVE-2024-24910 | 2 Checkpoint, Microsoft | 3 Identity Agent, Zonealarm Extreme Security, Windows | 2025-09-29 | 7.3 High |
| A local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. To exploit this vulnerability, an attacker must first obtain the ability to execute local privileged code on the target system. | ||||
| CVE-2023-35841 | 2 Phoenix, Phoenixtech | 2 Winflash Driver, Winflash | 2025-09-25 | 7.8 High |
| Exposed IOCTL with Insufficient Access Control in Phoenix WinFlash Driver on Windows allows Privilege Escalation which allows for modification of system firmware.This issue affects WinFlash Driver: before 4.5.0.0. | ||||
| CVE-2022-34112 | 1 Dataease | 1 Dataease | 2025-09-24 | 6.5 Medium |
| An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator. | ||||
| CVE-2023-4665 | 1 Adobe | 1 Connect | 2025-09-24 | 8.8 High |
| Incorrect Execution-Assigned Permissions vulnerability in Saphira Saphira Connect allows Privilege Escalation.This issue affects Saphira Connect: before 9. | ||||
| CVE-2024-52328 | 1 Ecovacs | 28 Airbot Andy, Airbot Andy Firmware, Airbot Ava and 25 more | 2025-09-23 | 2.3 Low |
| ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on. | ||||
| CVE-2025-10059 | 1 Mongodb | 1 Mongodb | 2025-09-22 | 6.5 Medium |
| An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6. | ||||
| CVE-2024-38646 | 1 Qnap | 1 Notes Station 3 | 2025-09-20 | 6.0 Medium |
| An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later | ||||
| CVE-2025-0164 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2025-09-20 | 2.3 Low |
| IBM QRadar SIEM 7.5 through 7.5 Update Pack 13 Independent Fix 01 could allow a local privileged user to perform unauthorized actions on configuration files due to improper permission assignment. | ||||
| CVE-2025-8042 | 2 Google, Mozilla | 2 Android, Firefox | 2025-09-19 | 9.8 Critical |
| Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141. | ||||
| CVE-2025-52873 | 1 Cognex | 2 In-sight Camera Firmware, In-sight Explorer | 2025-09-19 | 8.1 High |
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSystemConfig functionality to modify relevant device properties (such as network settings), contradicting the security model proposed in the user manual. | ||||
| CVE-2025-54497 | 1 Cognex | 2 In-sight Camera Firmware, In-sight Explorer | 2025-09-19 | 8.1 High |
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSerialPort functionality to modify relevant device properties (such as serial interface settings), contradicting the security model proposed in the user manual. | ||||
| CVE-2025-10643 | 1 Wondershare | 1 Repairit | 2025-09-19 | N/A |
| Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Wondershare Repairit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the permissions granted to a storage account token. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26902. | ||||
| CVE-2025-59349 | 2 Dragonflyoss, Linuxfoundation | 2 Dragonfly2, Dragonfly | 2025-09-18 | 3.3 Low |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. This vulnerability is fixed in 2.1.0. | ||||
| CVE-2025-57392 | 1 Benimpos | 1 Benimpos | 2025-09-17 | 7.8 High |
| BenimPOS Masaustu 3.0.x is affected by insecure file permissions. The application installation directory grants Everyone and BUILTIN\Users groups FILE_ALL_ACCESS, allowing local users to replace or modify .exe and .dll files. This may lead to privilege escalation or arbitrary code execution upon launch by another user or elevated context. | ||||