Total
1801 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37415 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |||||
| CVE-2021-44077 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | |||||
| CVE-2020-3952 | 1 Vmware | 1 Vcenter Server | 2025-10-30 | 6.8 MEDIUM | 9.8 CRITICAL |
| Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. | |||||
| CVE-2022-26925 | 1 Microsoft | 17 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 14 more | 2025-10-30 | 4.3 MEDIUM | 8.1 HIGH |
| Windows LSA Spoofing Vulnerability | |||||
| CVE-2025-41110 | 1 Ghostrobotics | 2 Vision 60, Vision 60 Firmware | 2025-10-30 | N/A | 8.8 HIGH |
| Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment. | |||||
| CVE-2025-41090 | 2025-10-30 | N/A | N/A | ||
| microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually. This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations. | |||||
| CVE-2025-61777 | 1 Flagforge | 1 Flagforge | 2025-10-30 | N/A | 9.4 CRITICAL |
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | |||||
| CVE-2025-62586 | 1 Opexustech | 1 Foiaxpress | 2025-10-29 | N/A | 9.8 CRITICAL |
| OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0. | |||||
| CVE-2025-7328 | 1 Rockwellautomation | 2 1783-natr, 1783-natr Firmware | 2025-10-29 | N/A | 9.8 CRITICAL |
| Multiple Broken Authentication security issues exist in the affected product. The security issues are due to missing authentication checks on critical functions. These could result in potential denial-of-service, admin account takeover, or NAT rule modifications. Devices would no longer be able to communicate through NATR as a result of denial-of-service or NAT rule modifications. NAT rule modification could also result in device communication to incorrect endpoints. Admin account takeover could allow modification of configuration and require physical access to restore. | |||||
| CVE-2025-53034 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2025-10-28 | N/A | 5.4 MEDIUM |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). | |||||
| CVE-2025-26359 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 9.8 CRITICAL |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests. | |||||
| CVE-2025-26360 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 5.3 MEDIUM |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests. | |||||
| CVE-2025-26361 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 9.1 CRITICAL |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests. | |||||
| CVE-2025-26362 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests. | |||||
| CVE-2025-26363 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests. | |||||
| CVE-2025-26364 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests. | |||||
| CVE-2025-26365 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests. | |||||
| CVE-2025-26366 | 1 Q-free | 1 Maxtime | 2025-10-28 | N/A | 7.5 HIGH |
| A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests. | |||||
| CVE-2025-11529 | 1 Churchcrm | 1 Churchcrm | 2025-10-27 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue. | |||||
| CVE-2022-21587 | 1 Oracle | 1 E-business Suite | 2025-10-27 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||