Total
1053 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-12347 | 2 Guangzhou Huayi Intelligent Technology, Huayi-tec | 2 Jeewms, Jeewms | 2025-09-11 | 5.3 Medium |
| A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Monitoring Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8756 | 1 Tduckcloud | 1 Tduck-platform | 2025-09-11 | 6.3 Medium |
| A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-9602 | 2 Rockoa, Xinhu | 2 Rockoa, Rockoa | 2025-09-11 | 6.3 Medium |
| A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-29927 | 1 Vercel | 1 Next.js | 2025-09-10 | 9.1 Critical |
| Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3. | ||||
| CVE-2024-51479 | 2 Redhat, Vercel | 2 Trusted Artifact Signer, Next.js | 2025-09-10 | 7.5 High |
| Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability. | ||||
| CVE-2025-29827 | 1 Microsoft | 1 Azure Automation | 2025-09-10 | 9.9 Critical |
| Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-21275 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-09-09 | 7.8 High |
| Windows App Package Installer Elevation of Privilege Vulnerability | ||||
| CVE-2025-21348 | 1 Microsoft | 1 Sharepoint Server | 2025-09-09 | 7.2 High |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | ||||
| CVE-2025-8840 | 2 Jishenghua, Jsherp Project | 2 Jsherp, Jserp | 2025-09-09 | 5.4 Medium |
| A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947. | ||||
| CVE-2025-8839 | 2 Jishenghua, Jsherp Project | 2 Jsherp, Jsherp | 2025-09-09 | 6.3 Medium |
| A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10073 | 1 Portabilis | 1 I-educar | 2025-09-09 | 4.3 Medium |
| A vulnerability was determined in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/Api/turma. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-9835 | 1 Macrozheng | 1 Mall | 2025-09-05 | 4.3 Medium |
| A vulnerability has been found in macrozheng mall up to 1.0.3. This affects the function cancelOrder of the file /order/cancelUserOrder. The manipulation of the argument orderId leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-9609 | 1 Portabilis | 1 I-educar | 2025-09-04 | 6.3 Medium |
| A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-9687 | 1 Portabilis | 1 I-educar | 2025-09-04 | 6.3 Medium |
| A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-9937 | 1 Elunez | 1 Eladmin | 2025-09-04 | 5.4 Medium |
| A security flaw has been discovered in elunez eladmin 1.1. Impacted is the function deleteFile of the component LocalStorageController. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-8547 | 2 Atjiu, Pybbs Project | 2 Pybbs, Pybbs | 2025-09-03 | 5.3 Medium |
| A vulnerability has been found in atjiu pybbs up to 6.0.0 and classified as critical. This vulnerability affects unknown code of the component Email Verification Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 044f22893bee254dc2bb0d30f614913fab3c22c2. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-8755 | 1 Macrozheng | 1 Mall | 2025-09-02 | 5.3 Medium |
| A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic. This issue affects the function detail of the file UmsMemberController.java of the component com.macro.mall.portal.controller. The manipulation of the argument orderId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8791 | 2 Litmus Project, Litmuschaos | 2 Litmus, Litmus | 2025-09-02 | 6.3 Medium |
| A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8794 | 2 Litmus Project, Litmuschaos | 2 Litmus, Litmus | 2025-09-02 | 5.3 Medium |
| A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-8147 | 2 Aurelienlws, Wordpress | 2 Lwscache, Wordpress | 2025-09-01 | 4.3 Medium |
| The LWSCache plugin for WordPress is vulnerable to unauthorized modification of data due to improper authorization on the lwscache_activatePlugin() function in all versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate arbitrary whitelisted LWS plugins. | ||||