Export limit exceeded: 10918 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10918 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63691 | 2 Pig-mesh, Pig4cloud | 2 Pig, Pig | 2025-12-08 | 9.6 Critical |
| In pig-mesh In Pig version 3.8.2 and below, within the Token Management function under the System Management module, the token query interface (/api/admin/sys-token/page) has an improper permission verification issue, which leads to information leakage. This interface can be called by any user who has completed login authentication, and it returns the plaintext authentication Tokens of all users currently logged in to the system. As a result, ordinary users can obtain the administrator's authentication Token through this interface, thereby forging an administrator account, gaining the system's management permissions, and taking over the system. | ||||
| CVE-2025-64746 | 2 Directus, Monospace | 2 Directus, Directus | 2025-12-08 | 4.6 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue. | ||||
| CVE-2025-12760 | 2 Drupal, Email Tfa Project | 3 Drupal, Email Tfa, Email Tfa | 2025-12-08 | 5.4 Medium |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | ||||
| CVE-2025-12331 | 2 Matthewdeaves, Willow Cms | 2 Willow Cms, Willow Cms | 2025-12-08 | 4.7 Medium |
| A weakness has been identified in Willow CMS up to 1.4.0. Impacted is an unknown function of the file /admin/images/add. This manipulation causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2024-5814 | 1 Wolfssl | 1 Wolfssl | 2025-12-06 | 5.3 Medium |
| A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 | ||||
| CVE-2025-13785 | 1 Yungifez | 2 Skuul, Skuul School Management System | 2025-12-06 | 4.3 Medium |
| A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-57213 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57212 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57210 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | ||||
| CVE-2023-47222 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-05 | 9.6 Critical |
| An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later | ||||
| CVE-2025-46608 | 1 Dell | 1 Data Lakehouse | 2025-12-05 | 9.1 Critical |
| Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity. | ||||
| CVE-2025-54338 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | ||||
| CVE-2025-54563 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | ||||
| CVE-2025-63681 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-05 | 4.3 Medium |
| open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | ||||
| CVE-2024-2873 | 1 Wolfssh | 1 Wolfssh | 2025-12-05 | 9.1 Critical |
| A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access. | ||||
| CVE-2025-57489 | 2 Shirt-pocket, Shirt Pocket | 2 Superduper\!, Superduper | 2025-12-05 | 8.1 High |
| Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | ||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 9.8 Critical |
| Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | ||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 7.5 High |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | ||||
| CVE-2025-65966 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2025-12-05 | 8.1 High |
| OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0. | ||||
| CVE-2025-66028 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2025-12-05 | 8.2 High |
| OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | ||||