Export limit exceeded: 346537 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10563 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41410 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-21 | 5.4 Medium |
| Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions | ||||
| CVE-2024-2035 | 2 Zenml, Zenmlio | 2 Zenml, Zenml | 2025-10-21 | 6.5 Medium |
| An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application. | ||||
| CVE-2024-7475 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2025-10-21 | 9.1 Critical |
| An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. | ||||
| CVE-2025-11340 | 1 Gitlab | 1 Gitlab | 2025-10-20 | 7.7 High |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. | ||||
| CVE-2022-20360 | 1 Google | 1 Android | 2025-10-20 | 6.2 Medium |
| In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228314987 | ||||
| CVE-2025-54265 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-10-20 | 5.9 Medium |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2022-0363 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | ||||
| CVE-2022-0287 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog | ||||
| CVE-2022-1092 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.3 Medium |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | ||||
| CVE-2025-1214 | 1 Pihome | 1 Maxair | 2025-10-17 | 6.3 Medium |
| A vulnerability classified as critical has been found in pihome-shc PiHome 2.0. This affects an unknown part of the file /user_accounts.php?uid of the component Role-Based Access Control. The manipulation leads to missing authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2042 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | 4.3 Medium |
| A vulnerability has been found in huang-yk student-manage 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3843 | 1 Panhainan | 1 Ds-java | 2025-10-15 | 4.3 Medium |
| A vulnerability was found in panhainan DS-Java 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-46544 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-15 | 6.4 Medium |
| In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | ||||
| CVE-2024-6592 | 1 Watchguard | 2 Authentication Gateway, Single Sign-on Client | 2025-10-15 | 9.1 Critical |
| Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4. | ||||
| CVE-2024-45260 | 1 Gl-inet | 62 A1300, A1300 Firmware, Ar300m and 59 more | 2025-10-15 | 8 High |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it. | ||||
| CVE-2024-45261 | 1 Gl-inet | 62 A1300, A1300 Firmware, Ar300m and 59 more | 2025-10-15 | 8 High |
| An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control. | ||||
| CVE-2025-21691 | 1 Linux | 1 Linux Kernel | 2025-10-15 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma). | ||||
| CVE-2025-1792 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-15 | 3.1 Low |
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. | ||||
| CVE-2025-3808 | 1 Zhenfeng13 | 1 My-bbs | 2025-10-15 | 4.3 Medium |
| A vulnerability has been found in zhenfeng13 My-BBS 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected. | ||||
| CVE-2024-9098 | 1 Lunary | 1 Lunary | 2025-10-15 | 6.1 Medium |
| In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circumvent the intended access control, posing a risk to the organization's financial resources. | ||||