Total
2367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6892 | 2025-10-21 | N/A | N/A | ||
| An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be exploited after a legitimate user has logged in, as the system fails to properly validate session context or privilege boundaries. An attacker may leverage this flaw to perform unauthorized privileged operations. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems. | |||||
| CVE-2025-48044 | 2025-10-21 | N/A | N/A | ||
| Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/[email protected] before pkg:hex/[email protected], from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d. | |||||
| CVE-2025-36546 | 1 F5 | 2 F5os-a, F5os-c | 2025-10-21 | N/A | 8.1 HIGH |
| On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-9955 | 1 Wso2 | 2 Enterprise Integrator, Enterprise Service Bus | 2025-10-21 | N/A | 5.7 MEDIUM |
| An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user can access log data and user-store configuration details that are not intended to be exposed at that privilege level. While no credentials or sensitive user information are exposed, this vulnerability may allow unauthorized visibility into internal operational details, which could aid in further exploitation or reconnaissance. | |||||
| CVE-2025-10545 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint | |||||
| CVE-2025-46265 | 1 F5 | 2 F5os-a, F5os-c | 2025-10-21 | N/A | 8.8 HIGH |
| On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-11340 | 1 Gitlab | 1 Gitlab | 2025-10-20 | N/A | 7.7 HIGH |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. | |||||
| CVE-2025-54267 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 6.5 MEDIUM |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-54265 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 5.9 MEDIUM |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-54263 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | N/A | 8.1 HIGH |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-1214 | 1 Pihome | 1 Maxair | 2025-10-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-46544 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | N/A | 6.4 MEDIUM |
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | |||||
| CVE-2024-6592 | 1 Watchguard | 2 Authentication Gateway, Single Sign-on Client | 2025-10-15 | N/A | 9.1 CRITICAL |
| Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4. | |||||
| CVE-2024-45260 | 1 Gl-inet | 42 A1300, A1300 Firmware, Ar300m and 39 more | 2025-10-15 | N/A | 8.0 HIGH |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it. | |||||
| CVE-2024-45261 | 1 Gl-inet | 42 A1300, A1300 Firmware, Ar300m and 39 more | 2025-10-15 | N/A | 8.0 HIGH |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control. | |||||
| CVE-2025-1792 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 3.1 LOW |
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. | |||||
| CVE-2024-9098 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 6.1 MEDIUM |
| In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circumvent the intended access control, posing a risk to the organization's financial resources. | |||||
| CVE-2024-7048 | 1 Openwebui | 1 Open Webui | 2025-10-15 | N/A | 5.4 MEDIUM |
| In version v0.3.8 of open-webui, an improper privilege management vulnerability exists in the API endpoints GET /api/v1/documents/ and POST /rag/api/v1/doc. This vulnerability allows a lower-privileged user to access and overwrite files managed by a higher-privileged admin. By exploiting this vulnerability, an attacker can view metadata of files uploaded by an admin and overwrite these files, compromising the integrity and availability of the RAG models. | |||||
| CVE-2024-7039 | 1 Openwebui | 1 Open Webui | 2025-10-15 | N/A | 6.7 MEDIUM |
| In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an admin, to delete other administrators via the API endpoint `http://0.0.0.0:8080/api/v1/users/{uuid_administrator}`. This action is restricted by the user interface but can be performed through direct API calls. | |||||
| CVE-2024-6086 | 1 Lunary | 1 Lunary | 2025-10-15 | N/A | 4.3 MEDIUM |
| In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization. | |||||