Export limit exceeded: 20028 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10318 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11360 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11360 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65841 | 3 Acustica-audio, Acusticaudio, Apple | 3 Aquarius, Aquarius Desktop, Macos | 2025-12-18 | 6.2 Medium |
| Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | ||||
| CVE-2025-67791 | 1 Drivelock | 1 Drivelock | 2025-12-18 | 9.8 Critical |
| An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service). | ||||
| CVE-2025-67789 | 1 Drivelock | 1 Drivelock | 2025-12-18 | 5.3 Medium |
| An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Authenticated users can retrieve the computer count of other DriveLock tenants via the DriveLock API. | ||||
| CVE-2025-66397 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 8.3 High |
| ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue. | ||||
| CVE-2023-6068 | 1 Arista | 12 7130-32lb, 7130-32lba, 7130-48eh and 9 more | 2025-12-18 | 3.1 Low |
| On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some | ||||
| CVE-2025-65779 | 1 Wekan Project | 1 Wekan | 2025-12-18 | 7.5 High |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards. | ||||
| CVE-2025-65780 | 1 Wekan Project | 1 Wekan | 2025-12-18 | 8.8 High |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs. | ||||
| CVE-2025-65781 | 1 Wekan Project | 1 Wekan | 2025-12-18 | 8.2 High |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing. | ||||
| CVE-2024-35248 | 1 Microsoft | 3 Dynamics 365 Business Central, Dynamics 365 Business Central 2023, Dynamics 365 Business Central 2024 | 2025-12-17 | 7.3 High |
| Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | ||||
| CVE-2024-29060 | 1 Microsoft | 3 Visual Studio 2017, Visual Studio 2019, Visual Studio 2022 | 2025-12-17 | 6.7 Medium |
| Visual Studio Elevation of Privilege Vulnerability | ||||
| CVE-2025-47222 | 1 Keyfactor | 1 Signserver | 2025-12-17 | 6.5 Medium |
| A class name enumeration was found in Keyfactor SignServer versions prior to 7.3.2. Setting any chosen class name to any of the properties requiring a class path and the provided class is not expected to return different errors if the class exists in deployment or not. This returns information about the classes loaded in the application or not to the clientside. | ||||
| CVE-2025-47221 | 1 Keyfactor | 1 Signserver | 2025-12-17 | 5.3 Medium |
| An arbitrary file write was found in Keyfactor SignServer versions prior to 7.3.2. The properties ARCHIVETODISK_FILENAME-PATTERN, ARCHIVETODISK_PATH_BASE, ARCHIVETODISK_PATH_PATTERN can be set to any path, even ones that will point to files that already exist. This vulnerability gives a user with admin access the possibility to write files in arbitrary directories in the server file system and potentially overwrite files accessible by the local user JBoss. | ||||
| CVE-2025-47220 | 1 Keyfactor | 1 Signserver | 2025-12-17 | 5.3 Medium |
| A local file enumeration was found in Keyfactor SignServer versions prior to 7.3.2 .The property VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH, which exists in the PDFSigner and the PAdESSigner, can be set to any path without any restrictions by an admin user. In the case that the provided path points to an existing file, readable by the user running the application server, but is not a recognized image format, it will return this as an error to the clientside, confirming the existences of the file. | ||||
| CVE-2025-55895 | 1 Totolink | 4 A3300r, A3300r Firmware, N200re and 1 more | 2025-12-17 | 9.1 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote). | ||||
| CVE-2025-67642 | 1 Jenkins | 1 Hashicorp Vault | 2025-12-17 | 4.3 Medium |
| Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. | ||||
| CVE-2025-67715 | 1 Weblate | 1 Weblate | 2025-12-17 | 4.3 Medium |
| Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | ||||
| CVE-2025-63363 | 1 Waveshare | 3 Rs232/485 To Wifi Eth B, Rs232\/485 To Wifi Eth \(b\), Rs232\/485 To Wifi Eth \(b\) Firmware | 2025-12-16 | 7.5 High |
| A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption. | ||||
| CVE-2025-14642 | 2 Carmelo, Code-projects | 2 Computer Laboratory System, Computer Laboratory System | 2025-12-16 | 4.7 Medium |
| A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-14641 | 2 Carmelo, Code-projects | 2 Computer Laboratory System, Computer Laboratory System | 2025-12-16 | 4.7 Medium |
| A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-14530 | 2 Remyandrade, Sourcecodester | 2 Real Estate Property Listing App, Real Estate Property Listing App | 2025-12-16 | 4.7 Medium |
| A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||