Total
591 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49124 | 1 Apache | 1 Tomcat | 2025-10-29 | 8.4 High |
| Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | ||||
| CVE-2025-12247 | 1 Hasleo | 1 Backup Suite | 2025-10-27 | 7 High |
| A weakness has been identified in Hasleo Backup Suite up to 5.2. Impacted is an unknown function of the component HasleoImageMountService/HasleoBackupSuiteService. This manipulation causes unquoted search path. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Upgrading the affected component is advised. | ||||
| CVE-2025-12286 | 1 Veepn | 1 Veepn | 2025-10-27 | 7 High |
| A weakness has been identified in VeePN up to 1.6.2. This affects an unknown function of the file C:\Program Files (x86)\VeePN\avservice\avservice.exe of the component AVService. This manipulation causes unquoted search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-23748 | 2 Audinate, Microsoft | 2 Dante Application Library, Windows | 2025-10-24 | 7.8 High |
| mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files. | ||||
| CVE-2025-59489 | 6 Apple, Google, Linux and 3 more | 7 Macos, Android, Linux and 4 more | 2025-10-22 | 7.4 High |
| Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications. | ||||
| CVE-2022-22047 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2025-10-22 | 7.8 High |
| Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | ||||
| CVE-2025-11940 | 2 Librewolf, Microsoft | 2 Librewolf, Windows | 2025-10-21 | 7 High |
| A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component. | ||||
| CVE-2023-1521 | 1 Mozilla | 1 Sccache | 2025-10-15 | 7.8 High |
| On Linux the sccache client can execute arbitrary code with the privileges of a local sccache server, by preloading the code in a shared library passed to LD_PRELOAD. If the server is run as root (which is the default when installing the snap package https://snapcraft.io/sccache ), this means a user running the sccache client can get root privileges. | ||||
| CVE-2023-36422 | 1 Microsoft | 1 Windows Defender | 2025-10-09 | 7.8 High |
| Microsoft Windows Defender Elevation of Privilege Vulnerability | ||||
| CVE-2023-36393 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-10-08 | 7.8 High |
| Windows User Interface Application Core Remote Code Execution Vulnerability | ||||
| CVE-2025-9267 | 2 Microsoft, Seagate | 2 Windows, Toolkit | 2025-09-29 | N/A |
| In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their origin or integrity. This behavior can be exploited by placing a malicious DLL in the same directory as the installer executable, leading to arbitrary code execution with the privileges of the user running the installer. The issue stems from the use of insecure DLL loading practices, such as relying on relative paths or failing to specify fully qualified paths when invoking system libraries. | ||||
| CVE-2024-11454 | 1 Autodesk | 1 Revit | 2025-09-26 | 7.8 High |
| A maliciously crafted DLL file, when placed in the same directory as an RVT file could be loaded by Autodesk Revit, and execute arbitrary code in the context of the current process due to an untrusted search patch being utilized. | ||||
| CVE-2025-1398 | 2 Apple, Mattermost | 3 Macos, Mattermost, Mattermost Desktop | 2025-09-25 | 3.3 Low |
| Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. | ||||
| CVE-2024-53866 | 1 Pnpm | 1 Pnpm | 2025-09-22 | 9.8 Critical |
| The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace. | ||||
| CVE-2025-9000 | 1 Mechrevo | 1 Control Center Gx V2 | 2025-09-11 | 7 High |
| A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Affected by this vulnerability is an unknown functionality of the component reg File Handler. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-9016 | 1 Mechrevo | 1 Control Center Gx V2 | 2025-09-11 | 7 High |
| A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. This affects an unknown part of the file C:\Program Files\OEM\机械革命控制中心\AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-21399 | 1 Microsoft | 2 Edge, Edge Update | 2025-09-09 | 7.4 High |
| Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability | ||||
| CVE-2025-21365 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2025-09-09 | 7.8 High |
| Microsoft Office Remote Code Execution Vulnerability | ||||
| CVE-2025-49457 | 1 Zoom | 7 Meeting Software Development Kit, Rooms, Rooms Controller and 4 more | 2025-09-08 | 9.6 Critical |
| Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access | ||||
| CVE-2025-49456 | 1 Zoom | 7 Meeting Software Development Kit, Rooms, Rooms Controller and 4 more | 2025-09-08 | 6.2 Medium |
| Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact application integrity via local access. | ||||