CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 26/128 • 15320 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15320 CVEs for this tag (all time). In the last 365 days, 3827 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-09-26
Low

CVE-2025-5069

An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthor…

CVSS: 3.5 CWE: CWE-708 - Incorrect Ownership Assignment View on NVD
Medium

CVE-2025-7691

A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with…

CVSS: 6.5 CWE: CWE-267 - Privilege Defined With Unsafe Actions View on NVD
High

CVE-2025-60111

Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core javo-core allows Authentication Bypass.This issue affects Javo Core: from n/a through <= 3.0.0.266.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2025-9984

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, an…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2025-10173

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save()…

CVSS: 2.7 CWE: CWE-862 - Missing Authorization View on NVD
2025-09-25
High

CVE-2025-59814

This vulnerability allows malicious actors to gain unauthorized access to the Zenitel ICX500 and ICX510 Gateway Billing Admin endpoint, enabling them to read the entire contents of the Billing Admin…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2025-10879

All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication.

CVSS: 5.3 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2025-20362

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-48014

Dell BSAFE Micro Edition Suite, versions prior to 5.0.2.3 contain an Out-of-bounds Write vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, le…

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2020-36851

Rob--W cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF). Because the proxy forwards requ…

CVSS: 9.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2025-10540

iMonitor EAM 9.6394 transmits communication between the EAM client agent and the EAM server, as well as between the EAM monitor management software and the server, in plaintext without authentication…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2025-10947

A flaw has been found in Sistemas Pleno Gestão de Locação up to 2025.7.x. The impacted element is an unknown function of the file /api/areacliente/pessoa/validarCpf of the component CPF Handler. Exec…

CVSS: 5.3 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-10957

This vulnerability exists in the Syrotech SY-GPON-2010-WADONT router due to improper access control in its FTP service. A remote attacker could exploit this vulnerability by establishing an FTP conne…

CVSS: 8.7 CWE: CWE-284 - Improper Access Control View on NVD
2025-09-24
High

CVE-2025-55322

Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

CVSS: 7.3 CWE: CWE-1327 - Binding to an Unrestricted IP Address View on NVD
High

CVE-2025-59305

Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or de…

CVSS: 7.6 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-56241

Aztech DSL5005EN firmware 1.00.AZ_2013-05-10 and possibly other versions allows unauthenticated attackers to change the administrator password via a crafted POST request to sysAccess.asp. This allows…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-48869

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These…

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-20314

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute per…

CVSS: 6.7 CWE: CWE-232 - Improper Handling of Undefined Values View on NVD
Medium

CVE-2025-20313

Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute…

CVSS: 6.7 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
High

CVE-2025-20160

A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass authenti…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-20334

A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. Thi…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2025-41715

The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it.

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-09-23
Medium

CVE-2025-58473

An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to p…

CVSS: 5.9 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Medium

CVE-2025-57882

An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to p…

CVSS: 5.9 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Medium

CVE-2025-55038

An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated use…

CVSS: 6.8 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2025-0672

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO r…

CVSS: 3.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-0663

A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-9342

Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse.This issue affects AHE Mobile: from 1.9.7 before 1.9.9.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2025-7106

danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissio…

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-09-22
Medium

CVE-2025-59562

Authorization Bypass Through User-Controlled Key vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LM…

CVSS: 5.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-58250

Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo fingo allows Authentication Bypass.This issue affects Findgo: from n/a through <= 1.3.55.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Low

CVE-2025-58012

Authorization Bypass Through User-Controlled Key vulnerability in Alex Content Mask content-mask allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Content Mas…

CVSS: 3.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2025-57994

Authorization Bypass Through User-Controlled Key vulnerability in Sayful Islam Upcoming Events Lists upcoming-events-lists allows Exploiting Incorrectly Configured Access Control Security Levels.This…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-57685

The LB-Link routers, including the BL-AC2100_AZ3 V1.0.4, BL-WR4000 v2.5.0, BL-WR9000_AE4 v2.4.9, BL-AC1900_AZ2 v1.0.2, BL-X26_AC8 v1.2.8, and BL-LTE300_DA4 V1.2.3 models, are vulnerable to unauthoriz…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-55886

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ARD. The flaw exists in the `fe_uid` parameter of the payment history API endpoint. An authenticated attacker can manipulate…

CVSS: 6.5 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-59335

CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as i…

CVSS: 7.1 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Medium

CVE-2025-59797

Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page.

CVSS: 5.8 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
Medium

CVE-2025-0875

Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection.This iss…

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2025-09-21
Medium

CVE-2025-10759

A vulnerability was detected in Webkul QloApps up to 1.7.0. This affects an unknown function of the component CSRF Token Handler. Performing manipulation of the argument token results in authorizatio…

CVSS: 5.3 CWE: CWE-285 - Improper Authorization View on NVD
2025-09-20
Medium

CVE-2025-10658

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limit…

CVSS: 6.5 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2025-10305

The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and includi…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2025-09-19
High

CVE-2025-34202

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 25.2.169 and Application prior to 25.2.1518 (VA and SaaS deployments) expose Docker internal networks in a way that allows an atta…

CVSS: 8.8 CWE: CWE-291 - Reliance on IP Address for Authentication View on NVD
High

CVE-2025-34190

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 (macOS/Linux client deployments) are vulnerable to an authentication…

CVSS: 7.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-26516

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Denial of Service vulnerability. Successful exploit could allow an unauthenticated attacke…

CVSS: 5.3 CWE: CWE-405 - Asymmetric Resource Consumption (Amplification) View on NVD
High

CVE-2025-26515

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successfu…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Critical

CVE-2022-4980

General Bytes Crypto Application Server (CAS) beginning with version 20201208 prior to 20220531.38 (backport) and 20220725.22 (mainline) contains an authentication bypass in the admin web interface.…

CVSS: 9.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-36248

IBM Copy Services Manager 6.3.13 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended f…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2025-57644

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting…

CVSS: 9.1 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-8532

Authorization Bypass Through User-Controlled Key, Improper Authorization vulnerability in Bimser Solution Software Trade Inc. EBA Document and Workflow Management System allows Forceful Browsing.This…

CVSS: 6.4 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-5955

The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number be…

CVSS: 8.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-09-18
High

CVE-2025-57295

H3C devices running firmware version NX15V100R015 are vulnerable to unauthorized access due to insecure default credentials. The root user account has no password set, and the H3C user account uses t…

CVSS: 8.0 CWE: CWE-521 - Weak Password Requirements View on NVD
High

CVE-2025-57293

A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sani…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Critical

CVE-2025-54807

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete acces…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
High

CVE-2025-54754

An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to…

CVSS: 8.0 CWE: CWE-259 - Use of Hard-coded Password View on NVD
High

CVE-2025-47698

An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure.

CVSS: 8.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2025-55912

An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photo_uploader.php to upload arbitrary files without any authentication, due to…

CVSS: 7.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2025-8565

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability che…

CVSS: 8.1 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-49564

The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions. This flaw allows…

CVSS: 8.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-09-17
Critical

CVE-2025-10644

Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on Wondershare Repairit. Authen…

CVSS: 9.4 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Critical

CVE-2025-10643

Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Wondershare…

CVSS: 9.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Critical

CVE-2025-59345

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-35434

CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.…

CVSS: 4.2 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2025-35432

CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2025-8463

Authorization Bypass Through User-Controlled Key vulnerability in SecHard Information Technologies SecHard allows Forceful Browsing.This issue affects SecHard: before 3.6.2-20250805.

CVSS: 5.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2025-9242

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 an…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2025-09-16
High

CVE-2025-37127

A vulnerability in the cryptographic logic used by HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to gain shell access. Successful exploitation could al…

CVSS: 7.2 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
High

CVE-2025-37124

A vulnerability in the HPE Aruba Networking SD-WAN Gateways could allow an unauthenticated remote attacker to bypass firewall protections. Successful exploitation could allow an attacker to route pot…

CVSS: 8.6 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Critical

CVE-2025-54391

A vulnerability in the EnableTwoFactorAuthRequest SOAP endpoint of Zimbra Collaboration (ZCS) allows an attacker with valid user credentials to bypass Two-Factor Authentication (2FA) protection. The…

CVSS: 9.1 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2025-34186

Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inje…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2025-34183

Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a vulnerability in its server-side logging mechanism that allows unauthenticated remote attackers to retrieve plaintext credentials from exposed…

CVSS: 7.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2025-49728

Cleartext storage of sensitive information in Microsoft PC Manager allows an unauthorized attacker to bypass a security feature locally.

CVSS: 4.0 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Medium

CVE-2025-47967

Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

CVSS: 4.7 CWE: CWE-357 - Insufficient UI Warning of Dangerous Operations View on NVD
Low

CVE-2025-59270

psPAS PowerShell module does not explicitly enforce TLS 1.2 within the 'Get-PASSAMLResponse' function during the SAML authentication process. An unauthenticated attacker in a 'Man-in-the-Middle' posi…

CVSS: 3.1 CWE: CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') View on NVD
Critical

CVE-2009-20006

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without suffi…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-8057

Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2025-7355

Authorization Bypass Through User-Controlled Key vulnerability in Beefull Energy Technologies Beefull App allows Exploitation of Trusted Identifiers.This issue affects Beefull App: before 24.07.2025.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Critical

CVE-2025-55109

An authentication bypass vulnerability exists in the out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions when using an empty or default kdb keystore…

CVSS: 9.0 CWE: CWE-295 - Improper Certificate Validation View on NVD
High

CVE-2025-41248

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an iss…

CVSS: 7.5 CWE: CWE-289 - Authentication Bypass by Alternate Name View on NVD
Medium

CVE-2025-26711

There is an unauthorized access vulnerability in ZTE T5400. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the inter…

CVSS: 5.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2025-26710

There is an an information disclosure vulnerability in ZTE T5400. Due to improper configuration of the access control mechanism, attackers can obtain information through interfaces without authorizat…

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-5518

Authorization Bypass Through User-Controlled Key vulnerability with user privileges in ArgusTech BILGER allows Exploitation of Trusted Identifiers.This issue affects BILGER: before 2.4.6.

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Low

CVE-2025-59453

Click Studios Passwordstate before 9.9 Build 9972 has a potential authentication bypass for Passwordstate emergency access. By using a crafted URL while on the Emergency Access web page, an unauthori…

CVSS: 3.2 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
2025-09-15
Medium

CVE-2025-30468

This issue was addressed through improved state management. This issue is fixed in iOS 26 and iPadOS 26. Private Browsing tabs may be accessed without authentication.

CVSS: 6.5 CWE: CWE-1390 - Weak Authentication View on NVD
Critical

CVE-2025-57174

An issue was discovered in Siklu Communications Etherhaul 8010TX and 1200FX devices, Firmware 7.4.0 through 10.7.3 and possibly other previous versions. The rfpiped service listening on TCP port 555…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
High

CVE-2025-59358

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kuberne…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-09-14
High

CVE-2025-10204

A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can ma…

CVSS: 7.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-09-12
High

CVE-2025-45584

Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.

CVSS: 7.5 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2025-58434

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information includin…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-10365

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used b…

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2025-10364

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used b…

CVSS: 9.3 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2025-55319

Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2025-09-11
Critical

CVE-2025-10127

Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attac…

CVSS: 9.8 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
High

CVE-2025-8557

An internal product security audit of Lenovo XClarity Orchestrator (LXCO) discovered the below vulnerability: An attacker with access to a device on the local Lenovo XClarity Orchestrator (LXCO) net…

CVSS: 8.8 CWE: CWE-420 - Unprotected Alternate Channel View on NVD
High

CVE-2025-58060

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request…

CVSS: 8.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2025-58321

Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.

CVSS: 10.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-58320

Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.

CVSS: 7.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-6088

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known.…

CVSS: 3.1 CWE: CWE-285 - Improper Authorization View on NVD
2025-09-10
High

CVE-2025-8696

If an unauthenticated user sends a large amount of data to the Stork UI, it may cause memory and disk use problems for the system running the Stork server. This issue affects Stork versions 1.0.0 thr…

CVSS: 7.5 CWE: CWE-779 - Logging of Excessive Data View on NVD
High

CVE-2025-55976

Intelbras IWR 3000N 1.9.8 exposes the Wi-Fi password in plaintext via the /api/wireless endpoint. Any unauthenticated user on the local network can directly obtain the Wi-Fi network password by query…

CVSS: 8.4 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-57642

A Shell Upload vulnerability in Tourism Management System 2.0 allows an attacker to upload and execute arbitrary PHP shell scripts on the server, leading to remote code execution and unauthorized acc…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-43938

Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit…

CVSS: 5.0 CWE: CWE-256 - Plaintext Storage of a Password View on NVD
High

CVE-2025-43888

Dell PowerProtect Data Manager, Hyper-V, version(s) 19.19 and 19.20, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could po…

CVSS: 8.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Critical

CVE-2025-9943

An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as sto…

CVSS: 9.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2025-10040

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all…

CVSS: 7.7 CWE: CWE-862 - Missing Authorization View on NVD
2025-09-09
Medium

CVE-2025-58135

Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS: 5.3 CWE: CWE-837 - Improper Enforcement of a Single, Unique Action View on NVD
Medium

CVE-2025-49461

Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-49460

Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Critical

CVE-2025-58462

OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0 allows SQL injection via SearchPopularDocs.aspx. A remote, unauthenticated attacker could read, write, or delete any content in the…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2025-10159

An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).

CVSS: 9.8 CWE: CWE-620 - Unverified Password Change View on NVD
High

CVE-2025-58761

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthentica…

CVSS: 8.6 CWE: CWE-27 - Path Traversal: 'dir/../../filename' View on NVD
High

CVE-2025-58760

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated atta…

CVSS: 8.6 CWE: CWE-23 - Relative Path Traversal View on NVD
High

CVE-2025-57278

The LB-Link BL-CPE300M AX300 4G LTE Router firmware version BL-R8800_B10_ALK_SL_V01.01.02P42U14_06 does not implement proper session handling. After a user authenticates from a specific IP address, t…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-55243

Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2025-55232

Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an unauthorized attacker to execute code over a network.

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-55225

Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2025-54917

Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.

CVSS: 4.3 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-54910

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 8.4 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-54908

Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-54907

Heap-based buffer overflow in Microsoft Office Visio allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-54906

Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD