Total
2442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-40819 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-12-10 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications do not properly validate license restrictions against the database, allowing direct modification of the system_ticketinfo table to bypass license limitations without proper enforcement checks. This could allow with database access to circumvent licensing restrictions by directly modifying database values and potentially enabling unauthorized use beyond the permitted scope. | ||||
| CVE-2025-65900 | 2 Difuse, Kalmia | 2 Kalmia, Kalmia Cms | 2025-12-10 | 6.5 Medium |
| Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users. | ||||
| CVE-2025-13432 | 1 Hashicorp | 2 Terraform, Terraform Enterprise | 2025-12-10 | 4.3 Medium |
| Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3. | ||||
| CVE-2025-9056 | 2025-12-10 | 5.3 Medium | ||
| Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. | ||||
| CVE-2025-61830 | 1 Adobe | 1 Pass | 2025-12-10 | 7.1 High |
| Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | ||||
| CVE-2025-54838 | 1 Fortinet | 1 Fortiportal | 2025-12-09 | 6.4 Medium |
| An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests. | ||||
| CVE-2025-8148 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2025-12-08 | 4.2 Medium |
| An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key. | ||||
| CVE-2025-66623 | 1 Strimzi | 1 Kafka-operator | 2025-12-08 | 7.4 High |
| Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | ||||
| CVE-2025-66581 | 1 Frappe | 2 Frappe, Frappe Lms | 2025-12-08 | N/A |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0. | ||||
| CVE-2025-64746 | 2 Directus, Monospace | 2 Directus, Directus | 2025-12-08 | 4.6 Medium |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue. | ||||
| CVE-2025-62259 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-08 | 5.4 Medium |
| Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API. | ||||
| CVE-2024-32643 | 1 Masacms | 1 Masacms | 2025-12-05 | 7.5 High |
| Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | ||||
| CVE-2025-12756 | 1 Mattermost | 3 Mattermost, Mattermost Boards, Mattermost Server | 2025-12-05 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | ||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 9.8 Critical |
| Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | ||||
| CVE-2025-59111 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-59048 | 1 Openbao | 2 Aws Plugin, Openbao | 2025-12-05 | 8.1 High |
| OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles. | ||||
| CVE-2025-66423 | 1 Tryton | 1 Trytond | 2025-12-04 | 7.1 High |
| Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||||
| CVE-2025-66424 | 1 Tryton | 1 Trytond | 2025-12-04 | 6.5 Medium |
| Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | ||||
| CVE-2025-20381 | 1 Splunk | 1 Mcp Server | 2025-12-04 | 5.4 Medium |
| In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions. | ||||
| CVE-2025-66406 | 1 Smallstep | 1 Certificates | 2025-12-04 | 5 Medium |
| Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0. | ||||