Total
1801 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11672 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| Uniweb/SoliPACS WebServer developed by EBM Technologies has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access a specific page to obtain user group names. | |||||
| CVE-2025-40771 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) (All versions < V2.4.24), SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0) (All versions < V2.4.24), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0) (All versions < V2.4.24). Affected devices do not properly authenticate configuration connections. This could allow an unauthenticated remote attacker to access the configuration data. | |||||
| CVE-2025-23356 | 2025-10-14 | N/A | 8.4 HIGH | ||
| NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | |||||
| CVE-2025-59358 | 1 Chaos-mesh | 1 Chaos Mesh | 2025-10-14 | N/A | 7.5 HIGH |
| The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | |||||
| CVE-2024-8074 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users.This issue affects Nomysem: before 13.10.2024. | |||||
| CVE-2024-7015 | 1 Profelis | 1 Passbox | 2025-10-14 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse.This issue affects PassBox: before v1.2. | |||||
| CVE-2024-6406 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data.This issue affects Mobile Library Application: before 5.0. | |||||
| CVE-2024-4428 | 1 Menulux | 1 Managment Portal | 2025-10-14 | N/A | 9.8 CRITICAL |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users.This issue affects Managment Portal: through 21.05.2024. | |||||
| CVE-2024-1662 | 1 Porty | 1 Powerbank | 2025-10-14 | N/A | 7.5 HIGH |
| Missing Authentication for Critical Function, Missing Authorization vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02. | |||||
| CVE-2024-0949 | 2025-10-14 | N/A | 9.8 CRITICAL | ||
| Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass.This issue affects Elektraweb: before v17.0.68. | |||||
| CVE-2024-0336 | 2025-10-14 | N/A | N/A | ||
| Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDKS: from V3.04 before 20240603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59345 | 1 Linuxfoundation | 1 Dragonfly | 2025-10-13 | N/A | 9.1 CRITICAL |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0. | |||||
| CVE-2025-40664 | 1 Tcman | 1 Gim | 2025-10-10 | N/A | 9.1 CRITICAL |
| Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser. | |||||
| CVE-2025-45814 | 1 Novelsat | 4 Ns2000, Ns2000 Firmware, Ns3000 and 1 more | 2025-10-10 | N/A | 9.8 CRITICAL |
| Missing authentication checks in the query.fcgi endpoint of NS3000 v8.1.1.125110 , v7.2.8.124852 , and v7.x and NS2000 v7.02.08 allows attackers to execute a session hijacking attack. | |||||
| CVE-2025-4018 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file novel-crawl/src/main/java/com/java2nb/novel/controller/CrawlController.java. The manipulation leads to missing authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4019 | 1 Xxyopen | 1 Novel-plus | 2025-10-10 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/java/com/java2nb/common/controller/GeneratorController.java. The manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-34232 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 5.3 MEDIUM |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a blind server-side request forgery (SSRF) vulnerability reachable via the /var/www/app/console_release/lexmark/dellCheck.php script that can be exploited by an unauthenticated user. When a printer is registered, the software stores the printer’s host name in the variable $printer_vo->str_host_address. The code later builds a URL like 'http://<host‑address>:80/DevMgmt/DiscoveryTree.xml' and sends the request with curl. No validation, whitelist, or private‑network filtering is performed before the request is made. Because the request is blind, an attacker cannot see the data directly, but can still: probe internal services, trigger internal actions, or gather other intelligence. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | |||||
| CVE-2025-34228 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 8.6 HIGH |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script builds URLs from user‑controlled values and then invokes either 'curl_exec()` or `file_get_contents()` without proper validation. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | |||||
| CVE-2025-34225 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 8.6 HIGH |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `console_release` directory is reachable from the internet without any authentication. Inside that directory are dozens of PHP scripts that build URLs from user‑controlled values and then invoke either 'curl_exec()` or `file_get_contents()` without proper validation. Although many files attempt to mitigate SSRF by calling `filter_var', the checks are incomplete. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | |||||
| CVE-2025-34224 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 9.1 CRITICAL |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices. | |||||