Export limit exceeded: 335164 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2921 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53647 | 3 Apple, Google, Trendmicro | 4 Iphone Os, Android, Id Security and 1 more | 2025-09-29 | 6.5 Medium |
| Trend Micro ID Security, version 3.0 and below contains a vulnerability that could allow an attacker to send an unlimited number of email verification requests without any restriction, potentially leading to abuse or denial of service. | ||||
| CVE-2024-27267 | 2 Ibm, Redhat | 2 Java Sdk, Enterprise Linux | 2025-09-29 | 5.9 Medium |
| The Object Request Broker (ORB) in IBM SDK, Java Technology Edition 7.1.0.0 through 7.1.5.18 and 8.0.0.0 through 8.0.8.26 is vulnerable to remote denial of service, caused by a race condition in the management of ORB listener threads. | ||||
| CVE-2023-48028 | 1 Kodcloud | 1 Kodbox | 2025-09-29 | 9.8 Critical |
| kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. | ||||
| CVE-2025-58443 | 1 Fogproject | 1 Fogproject | 2025-09-29 | 9.1 Critical |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1673 and below contain an authentication bypass vulnerability. It is possible for an attacker to perform an unauthenticated DB dump where they could pull a full SQL DB without credentials. A fix is expected to be released 9/15/2025. To address this vulnerability immediately, upgrade to the latest version of either the dev-branch or working-1.6 branch. This will patch the issue for users concerned about immediate exposure. See the FOG Project documentation for step-by-step upgrade instructions: https://docs.fogproject.org/en/latest/install-fog-server#choosing-a-fog-version. | ||||
| CVE-2025-60251 | 1 Unitree | 4 B2, G1, Go2 and 1 more | 2025-09-26 | 5 Medium |
| Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring. | ||||
| CVE-2025-44004 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-25 | 7.2 High |
| Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint. | ||||
| CVE-2025-41716 | 1 Wago | 1 Solution Builder | 2025-09-25 | 5.3 Medium |
| The web application allows an unauthenticated remote attacker to learn information about existing user accounts with their corresponding role due to missing authentication for critical function. | ||||
| CVE-2025-10906 | 2 Apple, Magnetism Studios | 2 Macos, Endurance | 2025-09-25 | 8.4 High |
| A flaw has been found in Magnetism Studios Endurance up to 3.3.0 on macOS. This affects the function loadModuleNamed:WithReply of the file /Applications/Endurance.app/Contents/Library/LaunchServices/com.MagnetismStudios.endurance.helper of the component NSXPC Interface. Executing manipulation can lead to missing authentication. The attack needs to be launched locally. The exploit has been published and may be used. | ||||
| CVE-2022-2457 | 1 Redhat | 1 Process Automation Manager | 2025-09-24 | 6.5 Medium |
| A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts. | ||||
| CVE-2025-41715 | 2025-09-24 | 9.8 Critical | ||
| The database for the web application is exposed without authentication, allowing an unauthenticated remote attacker to gain unauthorized access and potentially compromise it. | ||||
| CVE-2025-54478 | 1 Mattermost | 2 Confluence, Mattermost | 2025-09-24 | 7.2 High |
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint. | ||||
| CVE-2024-41791 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | 7.3 High |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time. | ||||
| CVE-2024-41793 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2025-09-23 | 8.6 High |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via ssh. | ||||
| CVE-2025-8943 | 1 Flowiseai | 1 Flowise | 2025-09-23 | 9.8 Critical |
| The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands. | ||||
| CVE-2025-10761 | 1 Harness | 1 Harness | 2025-09-22 | 3.7 Low |
| A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10772 | 1 Huggingface | 1 Lerobot | 2025-09-22 | 6.3 Medium |
| A vulnerability was identified in huggingface LeRobot up to 0.3.3. Affected by this vulnerability is an unknown functionality of the file lerobot/common/robot_devices/robots/lekiwi_remote.py of the component ZeroMQ Socket Handler. The manipulation leads to missing authentication. The attack can only be initiated within the local network. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10658 | 2 Supportcandy, Wordpress | 2 Supportcandy, Wordpress | 2025-09-22 | 6.5 Medium |
| The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code. | ||||
| CVE-2025-9983 | 2025-09-22 | N/A | ||
| GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera's behavior. The vendor did not respond in any way. Only version 11.100001.01.28 was tested, other versions might also be vulnerable. | ||||
| CVE-2024-45049 | 1 Nixos | 1 Hydra | 2025-09-22 | 7.5 High |
| Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend. | ||||
| CVE-2025-54864 | 1 Nixos | 1 Hydra | 2025-09-22 | 7.5 High |
| Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy. | ||||