Total
209 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-17736 | 1 Kentico | 1 Xperience | 2025-12-19 | N/A |
| Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. | ||||
| CVE-2025-65011 | 2025-12-19 | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-67844 | 2025-12-19 | 5 Medium | ||
| The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization. | ||||
| CVE-2025-26381 | 1 Johnsoncontrols | 1 Openblue Workplace | 2025-12-18 | N/A |
| Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | ||||
| CVE-2025-14697 | 1 Shenzhen Sixun | 1 Business Management System | 2025-12-15 | 3.7 Low |
| A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6195 | 1 Gitlab | 1 Gitlab | 2025-12-10 | 4.3 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | ||||
| CVE-2025-57823 | 1 Fortinet | 1 Fortiauthenticator | 2025-12-09 | 2.6 Low |
| A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints | ||||
| CVE-2024-0861 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 4.3 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the `Guest` role can change `Custom dashboard projects` settings contrary to permissions. | ||||
| CVE-2023-4018 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. | ||||
| CVE-2025-62778 | 1 Frappe | 3 Frappe, Frappe Lms, Learning | 2025-11-03 | 5.3 Medium |
| Frappe Learning is a learning management system. A security issue was identified in Frappe Learning 2.39.1 and earlier, where students were able to access the Quiz Form if they had the URL. | ||||
| CVE-2021-26085 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2025-10-24 | 5.3 Medium |
| Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3. | ||||
| CVE-2024-45195 | 1 Apache | 1 Ofbiz | 2025-10-23 | 9.8 Critical |
| Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | ||||
| CVE-2025-6352 | 2 Code-projects, Fabian | 2 Automated Voting System, Automated Voting System | 2025-10-23 | 5.3 Medium |
| A vulnerability classified as problematic has been found in code-projects Automated Voting System 1.0. Affected is an unknown function of the file /vote.php of the component Backend. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-11280 | 1 Frappe | 2 Frappe Lms, Learning | 2025-10-07 | 3.7 Low |
| A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them. | ||||
| CVE-2025-1542 | 2025-10-03 | N/A | ||
| Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0. | ||||
| CVE-2025-41404 | 1 Irohasoft | 1 Iroha Board | 2025-09-30 | N/A |
| Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in to the affected product. | ||||
| CVE-2024-55075 | 1 Grocy Project | 1 Grocy | 2025-09-29 | 4.3 Medium |
| Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes. | ||||
| CVE-2025-59797 | 2025-09-22 | 5.8 Medium | ||
| Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | ||||
| CVE-2025-10287 | 1 Roncoo | 1 Roncoo-pay | 2025-09-15 | 3.1 Low |
| A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-9945 | 2025-08-29 | 5.3 Medium | ||
| An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. | ||||