Total
1801 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4461 | 2025-11-28 | N/A | N/A | ||
| Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC. | |||||
| CVE-2025-12969 | 1 Treasuredata | 1 Fluent Bit | 2025-11-28 | N/A | 6.5 MEDIUM |
| Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs. | |||||
| CVE-2025-63435 | 1 Xtooltech | 1 Xtool Anyscan | 2025-11-28 | N/A | 4.3 MEDIUM |
| Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | |||||
| CVE-2025-48742 | 1 Sigb | 1 Pmb | 2025-11-26 | N/A | 5.4 MEDIUM |
| The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution. | |||||
| CVE-2025-12003 | 2025-11-25 | N/A | N/A | ||
| A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | |||||
| CVE-2025-63958 | 2025-11-25 | N/A | 9.8 CRITICAL | ||
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | |||||
| CVE-2024-14007 | 2025-11-25 | N/A | N/A | ||
| Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | |||||
| CVE-2025-13483 | 2025-11-25 | N/A | N/A | ||
| SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. | |||||
| CVE-2022-50591 | 1 Advantech | 1 Iview | 2025-11-24 | N/A | 9.8 CRITICAL |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | |||||
| CVE-2022-50592 | 1 Advantech | 1 Iview | 2025-11-24 | N/A | 7.2 HIGH |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | |||||
| CVE-2022-50594 | 1 Advantech | 1 Iview | 2025-11-24 | N/A | 7.5 HIGH |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | |||||
| CVE-2022-50595 | 1 Advantech | 1 Iview | 2025-11-24 | N/A | 7.2 HIGH |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | |||||
| CVE-2025-61757 | 1 Oracle | 1 Identity Manager | 2025-11-24 | N/A | 9.8 CRITICAL |
| Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-64770 | 2025-11-21 | N/A | 6.8 MEDIUM | ||
| The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information. | |||||
| CVE-2025-11771 | 2025-11-21 | N/A | 5.3 MEDIUM | ||
| The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters. | |||||
| CVE-2025-62674 | 2025-11-21 | N/A | 6.8 MEDIUM | ||
| The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information. | |||||
| CVE-2025-25265 | 2025-11-21 | N/A | 4.9 MEDIUM | ||
| A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure. | |||||
| CVE-2025-34039 | 2025-11-20 | N/A | N/A | ||
| A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC. | |||||
| CVE-2024-12847 | 1 Netgear | 2 Dgn1000, Dgn1000 Firmware | 2025-11-20 | N/A | 9.8 CRITICAL |
| NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC. | |||||
| CVE-2025-7897 | 1 Harry0703 | 1 Moneyprinterturbo | 2025-11-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verify_token of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. | |||||