Total
5857 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-64148 | 1 Jenkins | 1 Publish To Bitbucket | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||
| CVE-2025-64142 | 1 Jenkins | 1 Nexus Task Runner | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||||
| CVE-2025-64139 | 1 Jenkins | 1 Start Windocks Container | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||||
| CVE-2025-64137 | 1 Jenkins | 1 Themis | 2025-11-04 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Themis Plugin 1.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | |||||
| CVE-2025-64132 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
| Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access. | |||||
| CVE-2025-59475 | 1 Jenkins | 1 Jenkins | 2025-11-04 | N/A | 4.3 MEDIUM |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). | |||||
| CVE-2025-59474 | 1 Jenkins | 1 Jenkins | 2025-11-04 | N/A | 5.3 MEDIUM |
| Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget. | |||||
| CVE-2025-58460 | 1 Jenkins | 1 Opentelemetry | 2025-11-04 | N/A | 4.2 MEDIUM |
| A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||||
| CVE-2025-49829 | 1 Cyberark | 1 Conjur | 2025-11-04 | N/A | 6.5 MEDIUM |
| Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | |||||
| CVE-2023-42896 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-11-04 | N/A | 5.5 MEDIUM |
| An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Monterey 12.7.2, macOS Ventura 13.6.3, iOS 17.2 and iPadOS 17.2, iOS 16.7.3 and iPadOS 16.7.3, macOS Sonoma 14.2. An app may be able to modify protected parts of the file system. | |||||
| CVE-2023-39167 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2025-11-04 | N/A | 7.5 HIGH |
| In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data. | |||||
| CVE-2024-23230 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data. | |||||
| CVE-2024-40834 | 1 Apple | 1 Macos | 2025-11-04 | N/A | 4.4 MEDIUM |
| This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. A shortcut may be able to bypass sensitive Shortcuts app settings. | |||||
| CVE-2024-40852 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-04 | N/A | 5.3 MEDIUM |
| This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 18 and iPadOS 18. An attacker may be able to see recent photos without authentication in Assistive Access. | |||||
| CVE-2025-11975 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules. | |||||
| CVE-2025-12041 | 2025-11-04 | N/A | 5.3 MEDIUM | ||
| The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles. | |||||
| CVE-2025-12180 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the `qi-blocks/v1/update-styles` REST API endpoint without proper sanitization in the `update_global_styles_callback()` function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary CSS, which can be used to perform actions such as hiding content, overlaying fake UI elements, or exfiltrating sensitive information via CSS injection techniques. | |||||
| CVE-2025-11816 | 2025-11-04 | N/A | 5.3 MEDIUM | ||
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan. | |||||
| CVE-2025-11833 | 2025-11-04 | N/A | 9.8 CRITICAL | ||
| The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it possible for unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover. | |||||
| CVE-2025-12175 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them. | |||||