Total
5584 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9029 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
| The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services. | |||||
| CVE-2025-11228 | 2025-10-06 | N/A | 5.3 MEDIUM | ||
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign. | |||||
| CVE-2025-9243 | 2025-10-06 | N/A | 8.1 HIGH | ||
| The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status. | |||||
| CVE-2025-57971 | 2025-10-04 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in SALESmanago SALESmanago & Leadoo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SALESmanago & Leadoo: from n/a through 3.8.1. | |||||
| CVE-2025-11051 | 1 Mayurik | 1 Pet Grooming Management Software | 2025-10-03 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. | |||||
| CVE-2024-47055 | 1 Acquia | 1 Mautic | 2025-10-03 | N/A | 4.3 MEDIUM |
| SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones. MitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions. | |||||
| CVE-2024-52554 | 1 Jenkins | 1 Shared Library Version Override | 2025-10-03 | N/A | 8.8 HIGH |
| Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. | |||||
| CVE-2025-1745 | 1 Pb-cms Project | 1 Pb-cms | 2025-10-03 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-24403 | 1 Jenkins | 1 Azure Service Fabric | 2025-10-03 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. | |||||
| CVE-2024-42434 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-10-02 | N/A | 4.9 MEDIUM |
| Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | |||||
| CVE-2024-39824 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-10-02 | N/A | 4.9 MEDIUM |
| Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | |||||
| CVE-2024-39823 | 1 Zoom | 6 Meeting Software Development Kit, Rooms, Rooms Controller and 3 more | 2025-10-02 | N/A | 4.9 MEDIUM |
| Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access. | |||||
| CVE-2020-36852 | 2025-10-02 | N/A | 9.1 CRITICAL | ||
| The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of sufficient validation on the ghazale_sds_delete_entries_table_row() function. This makes it possible for unauthenticated attackers to completely wipe database tables such as wp_users. | |||||
| CVE-2025-40837 | 1 Ericsson | 2 Indoor Connect 8855, Indoor Connect 8855 Firmware | 2025-10-02 | N/A | 8.8 HIGH |
| Ericsson Indoor Connect 8855 contains a missing authorization vulnerability which if exploited can allow access to the system as a user with higher privileges than intended. | |||||
| CVE-2025-46745 | 2025-10-02 | N/A | 6.5 MEDIUM | ||
| An authenticated user without user-management permissions could view other users account information. | |||||
| CVE-2025-5692 | 1 Smackcoders | 1 Lead Form Data Collection To Crm | 2025-09-30 | N/A | 6.3 MEDIUM |
| The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates. | |||||
| CVE-2021-39810 | 1 Google | 1 Android | 2025-09-30 | N/A | 7.8 HIGH |
| In verifyDefaults of CardEmulationManager.java, there is a possible way to set a third party app as the default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-50052 | 1 Mattermost | 1 Mattermost Server | 2025-09-29 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | |||||
| CVE-2025-53374 | 1 Dokploy | 1 Dokploy | 2025-09-29 | N/A | 4.3 MEDIUM |
| Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The response discloses personally-identifiable information (PII) such as e-mail address, role, two-factor status, organization ID, and various account flags. The fix will be available in the v0.23.7. | |||||
| CVE-2025-10871 | 1 Gitlab | 1 Gitlab | 2025-09-29 | N/A | 3.8 LOW |
| An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges. | |||||