Total
4284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-23367 | 1 Redhat | 8 Build Keycloak, Jboss Data Grid, Jboss Enterprise Application Platform and 5 more | 2025-12-06 | 6.5 Medium |
| A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. | ||||
| CVE-2024-5814 | 1 Wolfssl | 1 Wolfssl | 2025-12-06 | 5.3 Medium |
| A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 | ||||
| CVE-2025-13785 | 1 Yungifez | 2 Skuul, Skuul School Management System | 2025-12-06 | 4.3 Medium |
| A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63363 | 1 Waveshare | 1 Rs232/485 To Wifi Eth B | 2025-12-05 | 7.5 High |
| A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption. | ||||
| CVE-2025-57213 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57212 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57210 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | ||||
| CVE-2025-66557 | 1 Nextcloud | 1 Deck | 2025-12-05 | 5.4 Medium |
| Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2. | ||||
| CVE-2025-14086 | 1 Youlai | 1 Youlai-mall | 2025-12-05 | 6.3 Medium |
| A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-46608 | 1 Dell | 1 Data Lakehouse | 2025-12-05 | 9.1 Critical |
| Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity. | ||||
| CVE-2025-54338 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | ||||
| CVE-2025-54563 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | ||||
| CVE-2025-63681 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-05 | 4.3 Medium |
| open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | ||||
| CVE-2025-57489 | 2 Shirt-pocket, Shirt Pocket | 2 Superduper\!, Superduper | 2025-12-05 | 8.1 High |
| Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | ||||
| CVE-2025-65841 | 2 Acusticaudio, Apple | 2 Aquarius Desktop, Macos | 2025-12-05 | 6.2 Medium |
| Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | ||||
| CVE-2025-14052 | 1 Youlai | 1 Youlai-mall | 2025-12-05 | 6.3 Medium |
| A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-66509 | 1 Laradashboard | 1 Laradashboard | 2025-12-05 | N/A |
| LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution. | ||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 9.8 Critical |
| Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | ||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 7.5 High |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | ||||
| CVE-2025-66028 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2025-12-05 | 8.2 High |
| OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | ||||