CVE Daily
← All tags

Tag: Unauthenticated/Unauthorized Access

All CVEs associated with "Unauthenticated/Unauthorized Access". Page 29/128 • 15320 CVEs.

Subscribe CVEs: RSS for “Unauthenticated/Unauthorized Access”  ·  RSS (High+Critical only)

About “Unauthenticated/Unauthorized Access”

A curated feed of “Unauthenticated/Unauthorized Access”-related CVEs appears below. We currently track 15320 CVEs for this tag (all time). In the last 365 days, 3827 were published. Average CVSS is 7.4 (all time; 7.4 over 365d), and 61% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-306 - Missing Authentication for Critical Function, CWE-639 - Authorization Bypass Through User-Controlled Key.

In our taxonomy this topic maps to a HIGH impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-08-12
High

CVE-2025-20625

Improper conditions check for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.110.0.5 may allow an unauthenticated user to potentially enable denial of service via adjacent…

CVSS: 7.4 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
High

CVE-2025-5462

A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access befo…

CVSS: 7.5 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-5456

A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access b…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2025-40768

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application exposes an internal service port to be accessible from outside the s…

CVSS: 7.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-40761

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM…

CVSS: 7.6 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Low

CVE-2024-41985

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506…

CVSS: 2.6 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Low

CVE-2024-41980

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506…

CVSS: 3.1 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
Medium

CVE-2025-42975

SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a vic…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-42948

Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-42946

Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Managem…

CVSS: 6.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-42942

SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticate…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-08-11
High

CVE-2025-7679

The ASPECT system allows users to bypass authentication. This issue affects all versions of ASPECT

CVSS: 8.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-53187

Due to an issue in configuration, code that was intended for debugging purposes was included in the market release of the ASPECT FW allowing an attacker to bypass authentication. This vulnerability m…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2025-8866

YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking conf…

CVSS: 5.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2025-8853

Official Document Management System developed by 2100 Technology has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to obtain any user's connection token and use it…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-08-10
Medium

CVE-2025-8794

A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. Th…

CVSS: 5.3 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2025-8789

A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The man…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD
2025-08-09
Medium

CVE-2025-8755

A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic. This issue affects the function detail of the file UmsMemberController.java of the component com.macro.mall.por…

CVSS: 5.3 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-54888

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.…

CVSS: 8.7 CWE: CWE-287 - Improper Authentication View on NVD
2025-08-08
Critical

CVE-2012-10044

MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or authorization checks before invoking file_put…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2025-52913

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insuffi…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-46414

The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods…

CVSS: 8.1 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2025-08-07
Low

CVE-2025-54787

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of…

CVSS: 3.7 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2025-24000

Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.

CVSS: 8.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2025-47188

A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, coul…

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-54786

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows una…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-08-06
High

CVE-2025-7770

Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attacke…

CVSS: 8.7 CWE: CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG) View on NVD
High

CVE-2025-7769

Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handlin…

CVSS: 8.7 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Low

CVE-2025-38746

Dell SupportAssist OS Recovery, versions prior to 5.5.14.0, contains an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. An unauthenticated attacker with physical access coul…

CVSS: 3.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-51040

Electrolink FM/DAB/TV Transmitter Web Management System Unauthorized access vulnerability via the /FrameSetCore.html endpoint in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08,…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-8616

A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process to bypass Authentication. This issue affects Advanced…

CVSS: 6.1 CWE: CWE-294 - Authentication Bypass by Capture-replay View on NVD
High

CVE-2025-46387

CWE-639 Authorization Bypass Through User-Controlled Key

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-46386

CWE-639 Authorization Bypass Through User-Controlled Key

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-54622

Binding authentication bypass vulnerability in the devicemanager module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVSS: 8.3 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2025-08-05
High

CVE-2025-53534

RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak defau…

CVSS: 7.7 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
Critical

CVE-2013-10069

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improp…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2013-10066

An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userp…

CVSS: 10.0 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2012-10027

WP-Property plugin for WordPress up to and including version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbit…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Critical

CVE-2012-10025

The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_u…

CVSS: 10.0 CWE: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') View on NVD
Medium

CVE-2025-50454

An Authentication Bypass vulnerability in Blue Access' Cobalt X1 thru 02.000.187 allows an unauthorized attacker to log into the application as an administrator without valid credentials.

CVSS: 6.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2025-08-04
High

CVE-2025-38741

Dell Enterprise SONiC OS, version 4.5.0, contains a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized ac…

CVSS: 7.5 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
High

CVE-2025-26476

Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0, contain a Use of Hard-coded Cryptographic Key vulnerability. An unauthenticated attacker with local access could potentially exploit t…

CVSS: 8.4 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
Critical

CVE-2013-10054

An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager p…

CVSS: 9.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2025-44957

Ruckus SmartZone (SZ) before 6.1.2p3 Refresh Build allows authentication bypass via a valid API key and crafted HTTP headers.

CVSS: 8.5 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2025-38739

Dell Digital Delivery, versions prior to 5.6.1.0, contains an Insufficiently Protected Credentials vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leadi…

CVSS: 7.2 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Critical

CVE-2025-36594

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release ver…

CVSS: 9.8 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2025-36605

Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the CWE-79: Improper Neutralization of Input…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-36604

Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote a…

CVSS: 7.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2025-20702

In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User…

CVSS: 8.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-08-03
High

CVE-2025-54955

OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthe…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2025-08-02
Critical

CVE-2025-7710

The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-08-01
Medium

CVE-2025-54792

LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-th…

CVSS: 6.8 CWE: CWE-300 - Channel Accessible by Non-Endpoint View on NVD
High

CVE-2012-10022

Kloxo versions 6.1.12 and earlier contain two setuid root binaries—lxsuexec and lxrestart—that allow local privilege escalation from uid 48. The lxsuexec binary performs a uid check and permits execu…

CVSS: 8.5 CWE: CWE-269 - Improper Privilege Management View on NVD
Critical

CVE-2025-50870

Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the cor…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-4523

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view()…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2025-5947

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly vali…

CVSS: 9.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2025-07-31
High

CVE-2025-50850

An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematic…

CVSS: 8.6 CWE: CWE-284 - Improper Access Control View on NVD
Critical

CVE-2014-125126

An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=…

CVSS: 9.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2014-125125

A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downlo…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2014-125124

An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module e…

CVSS: 10.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2014-125122

A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST reques…

CVSS: 5.3 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2013-10043

A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection.…

CVSS: 9.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2013-10037

An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell comman…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2012-10021

A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of s…

CVSS: 9.8 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
2025-07-30
Critical

CVE-2025-54576

OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and…

CVSS: 9.1 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Medium

CVE-2025-36608

Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potenti…

CVSS: 6.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Medium

CVE-2025-8353

UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to…

CVSS: 5.9 CWE: CWE-446 - UI Discrepancy for Security Feature View on NVD
Medium

CVE-2023-2593

A flaw exists within the Linux kernel's handling of new TCP connections. The issue results from the lack of memory release after its effective lifetime. This vulnerability allows an unauthenticated a…

CVSS: 5.9 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
High

CVE-2025-53944

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API's get_graph_execution_results endpoint has an a…

CVSS: 7.7 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2025-53111

GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10…

CVSS: 6.5 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-52897

GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. T…

CVSS: 6.5 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
High

CVE-2025-43270

An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may gain unauthorized access to Local…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2025-07-29
Medium

CVE-2025-54126

The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 a…

CVSS: 5.3 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Critical

CVE-2025-40600

Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption.

CVSS: 9.8 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
Medium

CVE-2025-36010

IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 could allow an unauthenticated user to cause a denial of service due to executable segments that are waiting for each other to release a necessary lock.

CVSS: 6.5 CWE: CWE-833 - Deadlock View on NVD
Critical

CVE-2025-44136

MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthentic…

CVSS: 9.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-28170

Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and…

CVSS: 7.6 CWE: CWE-548 - Exposure of Information Through Directory Listing View on NVD
High

CVE-2025-6505

Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credential…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2025-6504

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.  Since XFF is a client-controlled header, it could be spoofed, all…

CVSS: 8.4 CWE: CWE-345 - Insufficient Verification of Data Authenticity View on NVD
2025-07-28
Critical

CVE-2025-54428

RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded us…

CVSS: 9.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2025-54423

copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sa…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-07-26
Critical

CVE-2025-6895

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. T…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-07-25
Critical

CVE-2025-30135

An issue was discovered on IROAD Dashcam FX2 devices. Dumping Files Over HTTP and RTSP Without Authentication can occur. It lacks authentication controls on its HTTP and RTSP interfaces, allowing att…

CVSS: 9.4 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-52448

Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the prod…

CVSS: 8.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-52447

Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc command modules) allows Interface Manipulation (data access to th…

CVSS: 8.1 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-52446

Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows Interface Manipulation (data access to the production databa…

CVSS: 8.0 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-34139

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files.…

CVSS: 8.7 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Critical

CVE-2025-34138

A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow remote code execution or unauthorized access to info…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2025-34136

An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL In…

CVSS: 6.9 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-13975

A local privilege escalation vulnerability exists in Commvault for Windows versions 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. In affected configurations, a local attacker who owns a client sys…

CVSS: 8.5 CWE: CWE-269 - Improper Privilege Management View on NVD
Critical

CVE-2014-125117

A stack-based buffer overflow vulnerability in the my_cgi.cgi component of certain D-Link devices, including the DSP-W215 version 1.02, can be exploited via a specially crafted HTTP POST request to t…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2014-125116

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and…

CVSS: 9.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-45777

An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2025-0252

HCL IEM is affected by a password in cleartext vulnerability.  Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit.

CVSS: 2.6 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Low

CVE-2025-0249

HCL IEM is affected by an improper invalidation of access or JWT token vulnerability.  A token was not invalidated which may allow attackers to access sensitive data without authorization.

CVSS: 3.3 CWE: CWE-287 - Improper Authentication View on NVD
2025-07-24
High

CVE-2025-31955

HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.

CVSS: 7.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-31952

HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.

CVSS: 7.1 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Critical

CVE-2025-6441

The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
Critical

CVE-2025-41240

Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauth…

CVSS: 10.0 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
Medium

CVE-2025-1299

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-0765

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom s…

CVSS: 4.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-07-23
High

CVE-2025-47187

A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1 R0.1.0, coul…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-40598

A Reflected cross-site scripting (XSS) vulnerability exists in the SMA100 series web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-40597

A Heap-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution.

CVSS: 7.5 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-40596

A Stack-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution.

CVSS: 7.3 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2018-25114

A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default,…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2015-10141

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2024-12310

A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlyi…

CVSS: 7.0 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2025-54455

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

CVSS: 9.1 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2025-54454

Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

CVSS: 9.1 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2025-54452

Improper Authentication vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0.

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-54139

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX…

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2025-07-22
High

CVE-2025-54137

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts…

CVSS: 7.3 CWE: CWE-1392 - Use of Default Credentials View on NVD
Medium

CVE-2025-51479

Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/m…

CVSS: 5.4 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-6523

Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated b…

CVSS: 7.7 CWE: CWE-1391 - Use of Weak Credentials View on NVD
Critical

CVE-2025-34143

An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2025-34140

An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass ac…

CVSS: 8.7 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
High

CVE-2025-7692

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing…

CVSS: 8.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2025-07-21
Critical

CVE-2025-54122

Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Des…

CVSS: 10.0 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2025-7938

A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads t…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD