Total
3800 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11661 | 1 Oranbyte | 1 School Management System | 2025-10-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This affects an unknown part. Performing manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery | |||||
| CVE-2025-43281 | 1 Apple | 1 Macos | 2025-10-16 | N/A | 8.4 HIGH |
| The issue was addressed with improved authentication. This issue is fixed in macOS Sequoia 15.6. A local attacker may be able to elevate their privileges. | |||||
| CVE-2025-60306 | 1 Code-projects | 1 Simple Car Rental System | 2025-10-16 | N/A | 9.9 CRITICAL |
| code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. | |||||
| CVE-2025-45583 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | N/A | 9.1 CRITICAL |
| Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password. | |||||
| CVE-2025-62376 | 2025-10-16 | N/A | N/A | ||
| pwn.college DOJO is an education platform for learning cybersecurity. In versions up to and including commit 781d91157cfc234a434d0bab45cbcf97894c642e, the /workspace endpoint contains an improper authentication vulnerability that allows an attacker to access any active Windows VM without proper authorization. The vulnerability occurs in the view_desktop function where the user is retrieved via a URL parameter without verifying that the requester has administrative privileges. An attacker can supply any user ID and arbitrary password in the request parameters to impersonate another user. When requesting a Windows desktop service, the function does not validate the supplied password before generating access credentials, allowing the attacker to obtain an iframe source URL that grants full access to the target user's Windows VM. This impacts all users with active Windows VMs, as an attacker can access and modify data on the Windows machine and in the home directory of the associated Linux machine via the Z: drive. This issue has been patched in commit 467db0b9ea0d9a929dc89b41f6eb59f7cfc68bef. No known workarounds exist. | |||||
| CVE-2025-10293 | 2025-10-16 | N/A | 8.8 HIGH | ||
| The Keyy Two Factor Authentication (like Clef) plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate valid auth tokens and leverage that to auto-login as other accounts, including administrators, as long as the administrator has the 2FA set up. | |||||
| CVE-2025-3850 | 1 Yxj2018 | 1 Springboot-vue-onlineexam | 2025-10-15 | 2.6 LOW | 3.7 LOW |
| A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This issue affects some unknown processing of the component API. The manipulation leads to improper authentication. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-53845 | 1 Fortinet | 1 Fortianalyzer | 2025-10-15 | N/A | 6.5 MEDIUM |
| An improper authentication vulnerability [CWE-287] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.3 and before 7.4.6 allows an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests. | |||||
| CVE-2025-56578 | 2025-10-15 | N/A | 5.7 MEDIUM | ||
| An issue in RTSPtoWeb v.2.4.3 allows a remote attacker to obtain sensitive information and executearbitrary code via the lack of authentication mechanisms | |||||
| CVE-2025-57434 | 1 Creacast | 1 Creabox Manager | 2025-10-14 | N/A | 8.8 HIGH |
| Creacast Creabox Manager contains a critical authentication flaw that allows an attacker to bypass login validation. The system grants access when the username is creabox and the password begins with the string creacast, regardless of what follows. | |||||
| CVE-2025-10423 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-10-14 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used. | |||||
| CVE-2025-9265 | 2025-10-14 | N/A | N/A | ||
| A broken authorization vulnerability in Kiloview NDI N30 allows a remote unauthenticated attacker to deactivate user verification, giving them access to state changing actions that should only be initiated by administratorsThis issue affects Kiloview NDI N30 and was fixed in Firmware version later than 2.02.0246 | |||||
| CVE-2024-25128 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-10-14 | N/A | 9.1 CRITICAL |
| Flask-AppBuilder is an application development framework, built on top of Flask. When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, it allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the OpenID 2.0 authorization protocol. Upgrade to Flask-AppBuilder 4.3.11 to fix the vulnerability. | |||||
| CVE-2024-34399 | 1 Bmc | 1 Remedy Mid-tier | 2025-10-14 | N/A | 9.8 CRITICAL |
| **UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only. | |||||
| CVE-2024-0799 | 1 Arcserve | 1 Udp | 2025-10-14 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. | |||||
| CVE-2025-24949 | 1 Joturl | 1 Joturl | 2025-10-14 | N/A | 6.5 MEDIUM |
| In JotUrl 2.0, is possible to bypass security requirements during the password change process. | |||||
| CVE-2020-24029 | 1 Forlogic | 1 Qualiex | 2025-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request. NOTE: as of 2025-10-14, the Supplier's perspective is that this is "corrected in all maintained versions. Password reset requests are validated against registered user emails and require a valid, short-lived token." | |||||
| CVE-2014-2373 | 1 Accuenergy | 2 Acuvim Ii, Axm-net | 2025-10-13 | 7.5 HIGH | N/A |
| The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript. | |||||
| CVE-2022-41648 | 1 Heidenhain | 3 Heros, Tnc 640, Tnc 640 Programming Station | 2025-10-13 | N/A | 9.8 CRITICAL |
| The HEIDENHAIN Controller TNC 640 NC software Version 340590 07 SP5, is vulnerable to improper authentication in its DNC communication for CNC machines. Authentication is not enabled by default for DNC communication. This vulnerability may allow an attacker to deny service on the production line, steal sensitive data from the production line, and alter any products created by the production line. Note: CNC machines running the TNC 640 controller require DNC to be enabled for DNC communication to be present. | |||||
| CVE-2025-45777 | 1 Abeltechsoft | 1 Chavara Matrimony | 2025-10-10 | N/A | 9.8 CRITICAL |
| An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request. | |||||