Total
4104 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47221 | 1 Keyfactor | 1 Signserver | 2025-11-24 | N/A | 5.3 MEDIUM |
| Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 2 of 3. | |||||
| CVE-2025-47220 | 1 Keyfactor | 1 Signserver | 2025-11-24 | N/A | 5.3 MEDIUM |
| Keyfactor SignServer before 7.3.1 has Incorrect Access Control, issue 1 of 3. | |||||
| CVE-2024-8164 | 1 Beikeshop | 1 Beikeshop | 2025-11-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argument new_name causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.6.0 is able to mitigate this issue. The affected component should be upgraded. | |||||
| CVE-2025-13185 | 1 Bdtask | 1 News365 | 2025-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-13238 | 1 Bdtask | 1 Flight Booking Software | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12223 | 1 Bdtask | 1 Flight Booking Software | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in Bdtask Flight Booking Software up to 3.1. This affects an unknown part of the file /b2c/package-information of the component Package Information Module. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12222 | 1 Bdtask | 1 Flight Booking Software | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9804 | 1 Wso2 | 15 Api Control Plane, Api Manager, Api Manager Analytics and 12 more | 2025-11-21 | N/A | 9.6 CRITICAL |
| An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected. | |||||
| CVE-2025-13423 | 1 Campcodes | 1 Retro Basketball Shoes Online Store | 2025-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | |||||
| CVE-2025-41737 | 1 Metz-connect | 6 Ewio2-bm, Ewio2-bm Firmware, Ewio2-m and 3 more | 2025-11-21 | N/A | 7.5 HIGH |
| Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. | |||||
| CVE-2025-12862 | 1 Projectworlds | 1 Online Notes Sharing Platform | 2025-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used. | |||||
| CVE-2025-63214 | 2025-11-21 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts. | |||||
| CVE-2025-7895 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-11-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. | |||||
| CVE-2025-13250 | 1 Datax-web Project | 1 Datax-web | 2025-11-20 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotely. The exploit is now public and may be used. | |||||
| CVE-2025-59512 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2025-11-20 | N/A | 7.8 HIGH |
| Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-63223 | 2025-11-20 | N/A | 9.8 CRITICAL | ||
| The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | |||||
| CVE-2025-54561 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-20 | N/A | 4.3 MEDIUM |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | |||||
| CVE-2025-63219 | 2025-11-19 | N/A | 7.5 HIGH | ||
| The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity. | |||||
| CVE-2025-54339 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-19 | N/A | 10.0 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||
| CVE-2025-54343 | 1 Desktopalert | 1 Pingalert Application Server | 2025-11-19 | N/A | 9.6 CRITICAL |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 exploitable remotely for Escalation of Privileges. | |||||