Total
2516 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69417 | 1 Plex | 1 Media Server | 2026-01-08 | 5 Medium |
| In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. | ||||
| CVE-2025-69414 | 1 Plex | 1 Media Server | 2026-01-08 | 8.5 High |
| Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. | ||||
| CVE-2025-69416 | 1 Plex | 1 Media Server | 2026-01-08 | 5 Medium |
| In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. | ||||
| CVE-2020-36920 | 2026-01-08 | 8.8 High | ||
| iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references. | ||||
| CVE-2025-14352 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form. | ||||
| CVE-2025-15119 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2026-01-07 | 3.1 Low |
| A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-41246 | 2 Microsoft, Vmware | 2 Windows, Tools | 2026-01-07 | 7.6 High |
| VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access other guest VMs. Successful exploitation requires knowledge of credentials of the targeted VMs and vCenter or ESX. | ||||
| CVE-2025-14318 | 1 M-files | 2 M-files Server, Server | 2026-01-07 | 4.3 Medium |
| Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled. | ||||
| CVE-2025-15406 | 1 Phpgurukul | 1 Online Course Registration | 2026-01-05 | 6.3 Medium |
| A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2025-66378 | 1 Pexip | 2 Infinity, Pexip Infinity | 2026-01-05 | 5.9 Medium |
| Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. | ||||
| CVE-2025-58052 | 1 Galette | 1 Galette | 2026-01-05 | 8.1 High |
| Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue. | ||||
| CVE-2024-31452 | 1 Openfga | 1 Openfga | 2026-01-05 | 8.1 High |
| OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3. | ||||
| CVE-2025-34467 | 1 Zwiicms | 1 Zwiicms | 2026-01-05 | N/A |
| ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated. | ||||
| CVE-2025-2515 | 1 Eclipse | 1 Bluechi | 2026-01-05 | 7.2 High |
| A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. | ||||
| CVE-2018-25146 | 1 Microhardcorp | 1 Ipn4g | 2026-01-05 | 6.5 Medium |
| Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart. | ||||
| CVE-2025-14986 | 1 Temporal | 1 Temporal | 2026-01-05 | N/A |
| When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | ||||
| CVE-2025-14987 | 1 Temporal | 1 Temporal | 2026-01-05 | N/A |
| When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | ||||
| CVE-2025-9056 | 1 Tecno | 2 Audiolink, Com.transsion.audiosmartconnect | 2026-01-02 | 5.3 Medium |
| Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. | ||||
| CVE-2024-2231 | 1 2code | 1 Himer | 2026-01-02 | 6.5 Medium |
| The allows any authenticated user to join a private group due to a missing authorization check on a function | ||||
| CVE-2024-6695 | 1 Cozmoslabs | 1 Profile Builder | 2026-01-02 | 9.8 Critical |
| it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process. | ||||