Total
1108 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13125 | 2025-12-10 | 4.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers.This issue affects DijiDemi: through 28.11.2025. | ||||
| CVE-2025-41358 | 2025-12-10 | N/A | ||
| Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. | ||||
| CVE-2025-67594 | 2025-12-09 | 4.3 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through <= 1.3.3. | ||||
| CVE-2025-66551 | 1 Nextcloud | 1 Tables | 2025-12-09 | 6.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | ||||
| CVE-2025-12997 | 1 Medtronic | 1 Carelink Network | 2025-12-09 | 2.2 Low |
| Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025. | ||||
| CVE-2025-66513 | 1 Nextcloud | 1 Tables | 2025-12-09 | 4.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | ||||
| CVE-2025-64497 | 1 Enalean | 1 Tuleap | 2025-12-09 | 6.5 Medium |
| Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition. | ||||
| CVE-2025-63065 | 2025-12-09 | 5.4 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media Library Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library Assistant: from n/a through <= 3.30. | ||||
| CVE-2025-66553 | 1 Nextcloud | 1 Tables | 2025-12-09 | 4.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | ||||
| CVE-2025-66556 | 1 Nextcloud | 1 Talk | 2025-12-09 | 3.5 Low |
| Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2. | ||||
| CVE-2025-66558 | 1 Nextcloud | 2 Two-factor Webauthn, Twofactor Webauthn | 2025-12-09 | 3.1 Low |
| Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1. | ||||
| CVE-2025-66546 | 1 Nextcloud | 1 Calendar | 2025-12-09 | 3.3 Low |
| Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1. | ||||
| CVE-2025-66547 | 1 Nextcloud | 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more | 2025-12-09 | 4.3 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | ||||
| CVE-2025-13748 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 5.3 Medium |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier. | ||||
| CVE-2024-50395 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-08 | 8.8 High |
| An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later | ||||
| CVE-2025-13932 | 1 Soliscloud | 1 Monitoring Platform | 2025-12-08 | N/A |
| The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. | ||||
| CVE-2025-61148 | 1 Edupluscampus | 1 Student Payment Api | 2025-12-08 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint. | ||||
| CVE-2024-29194 | 1 Hackerbay | 1 Oneuptime | 2025-12-05 | 8.3 High |
| OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815. | ||||
| CVE-2025-65672 | 1 Classroomio | 1 Classroomio | 2025-12-05 | 7.5 High |
| Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. | ||||
| CVE-2025-65096 | 1 Rommapp | 1 Romm | 2025-12-04 | N/A |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||