Total
4284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13573 | 1 Projectworlds | 2 Advanced Library Management System, Can Pass Malicious Payloads | 2025-12-02 | 6.3 Medium |
| A security flaw has been discovered in projectworlds can pass malicious payloads up to 1.0. This vulnerability affects unknown code of the file /add_book.php. The manipulation of the argument image results in unrestricted upload. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-13574 | 2 Code-projects, Fabian | 2 Online Bidding System, Online Bidding System | 2025-12-02 | 4.7 Medium |
| A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-48983 | 1 Veeam | 2 Backup And Replication, Veeam Backup \& Replication | 2025-12-01 | 10 Critical |
| A vulnerability in the Mount service of Veeam Backup & Replication, which allows for remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user. | ||||
| CVE-2025-65276 | 1 Hashtech Project | 1 Hashtech | 2025-12-01 | 9.8 Critical |
| An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation. | ||||
| CVE-2025-13804 | 1 Nutzam | 1 Nutzboot | 2025-12-01 | 4.3 Medium |
| A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-65963 | 1 Humhub | 1 Files | 2025-12-01 | 5.4 Medium |
| Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2. | ||||
| CVE-2025-65239 | 1 Opencode Systems | 1 Ussd Gateway | 2025-12-01 | 4.3 Medium |
| Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | ||||
| CVE-2025-66223 | 1 Openobserve | 1 Openobserve | 2025-12-01 | N/A |
| OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0. | ||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2025-12-01 | 9.8 Critical |
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | ||||
| CVE-2025-64064 | 1 Primakon | 2 Pi Portal, Project Contract Management | 2025-12-01 | 8.8 High |
| Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | ||||
| CVE-2025-64066 | 1 Primakon | 2 Pi Portal, Project Contract Management | 2025-12-01 | 8.6 High |
| Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | ||||
| CVE-2024-23681 | 1 Ls1intum | 1 Artemis Java Test Sandbox | 2025-11-28 | 8.2 High |
| Artemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code. | ||||
| CVE-2024-53010 | 1 Qualcomm | 386 Aqt1000, Aqt1000 Firmware, Ar8035 and 383 more | 2025-11-28 | 7.8 High |
| Memory corruption may occur while attaching VM when the HLOS retains access to VM. | ||||
| CVE-2025-27062 | 1 Qualcomm | 307 315 5g Iot Modem, 315 5g Iot Modem Firmware, Apq8064au and 304 more | 2025-11-28 | 7.8 High |
| Memory corruption while handling client exceptions, allowing unauthorized channel access. | ||||
| CVE-2025-24314 | 1 Intel | 2 Cip Software, Computing Improvement Program | 2025-11-26 | 2 Low |
| Improper access control for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via network access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-31216 | 1 Apple | 3 Ios, Ipados, Iphone Os | 2025-11-26 | 2.4 Low |
| The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles. | ||||
| CVE-2025-64660 | 1 Microsoft | 1 Visual Studio Code | 2025-11-26 | 8 High |
| Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. | ||||
| CVE-2025-47179 | 1 Microsoft | 4 Configuration Manager, Configuration Manager 2403, Configuration Manager 2409 and 1 more | 2025-11-25 | 6.7 Medium |
| Improper access control in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-60705 | 1 Microsoft | 27 Windows, Windows 10, Windows 10 1607 and 24 more | 2025-11-25 | 7.8 High |
| Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59512 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1607 and 21 more | 2025-11-25 | 7.8 High |
| Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | ||||