Total
6172 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10637 | 2 Quadlayers, Wordpress | 2 Wp Social Feed Gallery, Wordpress | 2025-10-27 | 5.3 Medium |
| The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site. | ||||
| CVE-2025-11255 | 1 Wordpress | 1 Wordpress | 2025-10-27 | 4.3 Medium |
| The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange. | ||||
| CVE-2025-12202 | 1 Ajayrandhawa | 1 User-management-php-mysql Web | 2025-10-27 | 4.3 Medium |
| A security flaw has been discovered in ajayrandhawa User-Management-PHP-MYSQL web up to fedcf58797bf2791591606f7b61fdad99ad8bff1. This vulnerability affects unknown code. Performing manipulation results in cross-site request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-61755 | 1 Oracle | 1 Graalvm For Jdk | 2025-10-27 | 3.7 Low |
| Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). | ||||
| CVE-2025-11581 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-11580 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-42968 | 1 Sap | 1 Netweaver | 2025-10-27 | 5 Medium |
| SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | ||||
| CVE-2025-42986 | 1 Sap | 3 Abap Platform, Netweaver, Sap Basis | 2025-10-27 | 4.3 Medium |
| Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | ||||
| CVE-2025-62614 | 1 Booklore | 1 Booklore | 2025-10-27 | N/A |
| BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF/CBX page content without authorization. The vulnerability exists because multiple media endpoints lack proper access control annotations, and the CoverJwtFilter continues request processing even when no authentication token is provided. This enables attackers to enumerate and exfiltrate all book content from the system, bypassing the intended download permissions (canDownload) entirely. This issue has been patched via commit b226c43. | ||||
| CVE-2021-39226 | 3 Fedoraproject, Grafana, Redhat | 5 Fedora, Grafana, Enterprise Linux and 2 more | 2025-10-24 | 9.8 Critical |
| Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects. | ||||
| CVE-2025-61751 | 1 Oracle | 1 Financial Services Analytical Applications Infrastructure | 2025-10-24 | 8.1 High |
| Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | ||||
| CVE-2025-22178 | 1 Atlassian | 1 Jira Align | 2025-10-24 | 4.3 Medium |
| Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page. | ||||
| CVE-2021-37976 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2025-10-24 | 6.5 Medium |
| Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | ||||
| CVE-2025-7756 | 1 Fabian | 1 E-commerce Site | 2025-10-23 | 4.3 Medium |
| A vulnerability classified as problematic has been found in code-projects E-Commerce Site 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2021-30713 | 1 Apple | 2 Mac Os X, Macos | 2025-10-23 | 7.8 High |
| A permissions issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.4. A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.. | ||||
| CVE-2021-30657 | 1 Apple | 2 Mac Os X, Macos | 2025-10-23 | 5.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.. | ||||
| CVE-2025-42911 | 1 Sap | 3 Netweaver, Sap Basis, Sap Netweaver | 2025-10-23 | 5 Medium |
| SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application | ||||
| CVE-2025-42918 | 1 Sap | 5 Application Server, Background Processing, Netweaver and 2 more | 2025-10-23 | 4.3 Medium |
| SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability | ||||
| CVE-2025-58073 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-22 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state. | ||||
| CVE-2025-58075 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-22 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState | ||||