Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-11802 | 1 Apache | 1 Solr | 2025-11-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | |||||
| CVE-2025-59451 | 2025-11-26 | N/A | 3.5 LOW | ||
| The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes. | |||||
| CVE-2025-59449 | 2025-11-26 | N/A | 4.9 MEDIUM | ||
| The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices. | |||||
| CVE-2025-13432 | 2025-11-25 | N/A | 4.3 MEDIUM | ||
| Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3. | |||||
| CVE-2024-32983 | 1 Misskey | 1 Misskey | 2025-11-25 | N/A | 8.2 HIGH |
| Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0. | |||||
| CVE-2018-12369 | 2 Canonical, Mozilla | 2 Ubuntu Linux, Firefox | 2025-11-25 | 7.5 HIGH | 9.8 CRITICAL |
| WebExtensions bundled with embedded experiments were not correctly checked for proper authorization. This allowed a malicious WebExtension to gain full browser permissions. This vulnerability affects Firefox ESR < 60.1 and Firefox < 61. | |||||
| CVE-2025-64490 | 1 Salesagility | 1 Suitecrm | 2025-11-25 | N/A | 8.3 HIGH |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1. | |||||
| CVE-2025-62730 | 1 Soplanning | 1 Soplanning | 2025-11-24 | N/A | 8.8 HIGH |
| SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55. | |||||
| CVE-2025-10611 | 1 Wso2 | 9 Api Control Plane, Api Manager, Identity Server and 6 more | 2025-11-21 | N/A | 9.8 CRITICAL |
| Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations. | |||||
| CVE-2025-13468 | 1 Oretnom23 | 1 Alumni Management System | 2025-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-62189 | 2025-11-21 | N/A | 4.3 MEDIUM | ||
| LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request. | |||||
| CVE-2025-49145 | 1 Combodo | 1 Itop | 2025-11-21 | N/A | 8.7 HIGH |
| Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | |||||
| CVE-2025-64753 | 1 Getgrist | 1 Grist-core | 2025-11-20 | N/A | 5.3 MEDIUM |
| grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint. | |||||
| CVE-2025-59111 | 1 Windu | 1 Windu Cms | 2025-11-20 | N/A | 6.5 MEDIUM |
| Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-7736 | 1 Gitlab | 1 Gitlab | 2025-11-19 | N/A | 3.1 LOW |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. | |||||
| CVE-2025-41346 | 1 Iest | 1 Winplus | 2025-11-19 | N/A | 9.8 CRITICAL |
| Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application. | |||||
| CVE-2025-11865 | 1 Gitlab | 1 Gitlab | 2025-11-19 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | |||||
| CVE-2025-65073 | 2025-11-18 | N/A | 7.5 HIGH | ||
| OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. | |||||
| CVE-2025-64707 | 1 Frappe | 1 Learning | 2025-11-17 | N/A | 5.4 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, when admins revoked a role from the user, the effect was not immediate because of caching. The issue has been fixed in version 2.41.0 by ensuring the cache is cleared after roles are updated. | |||||
| CVE-2025-11777 | 1 Mattermost | 1 Mattermost Server | 2025-11-17 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint | |||||