Total
5249 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-43329 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-09-17 | N/A | 8.8 HIGH |
A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26, tvOS 26, macOS Tahoe 26, iOS 26 and iPadOS 26. An app may be able to break out of its sandbox. | |||||
CVE-2025-43331 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 4.0 MEDIUM |
A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access protected user data. | |||||
CVE-2025-43358 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-09-17 | N/A | 8.8 HIGH |
A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, iOS 18.7 and iPadOS 18.7, macOS Tahoe 26, iOS 26 and iPadOS 26. A shortcut may be able to bypass sandbox restrictions. | |||||
CVE-2025-43341 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 7.8 HIGH |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to gain root privileges. | |||||
CVE-2025-43316 | 1 Apple | 2 Macos, Visionos | 2025-09-17 | N/A | 7.8 HIGH |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26, visionOS 26. A malicious app may be able to gain root privileges. | |||||
CVE-2025-43318 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 6.2 MEDIUM |
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Tahoe 26. An app with root privileges may be able to access private information. | |||||
CVE-2025-43311 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 5.1 MEDIUM |
This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access protected user data. | |||||
CVE-2025-43286 | 1 Apple | 1 Macos | 2025-09-17 | N/A | 7.8 HIGH |
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to break out of its sandbox. | |||||
CVE-2025-8807 | 1 Tianti Project | 1 Tianti | 2025-09-16 | 6.5 MEDIUM | 6.3 MEDIUM |
A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2025-8446 | 2025-09-16 | N/A | 4.3 MEDIUM | ||
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability. | |||||
CVE-2025-53640 | 1 Cern | 1 Indico | 2025-09-15 | N/A | 6.5 MEDIUM |
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended. | |||||
CVE-2025-43788 | 2025-09-15 | N/A | N/A | ||
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||
CVE-2025-9076 | 2025-09-15 | N/A | 6.5 MEDIUM | ||
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled. | |||||
CVE-2025-58795 | 2025-09-15 | N/A | 4.3 MEDIUM | ||
Missing Authorization vulnerability in Payoneer Inc. Payoneer Checkout allows Content Spoofing.This issue affects Payoneer Checkout: from n/a through 3.4.0. | |||||
CVE-2024-32466 | 1 Tolgee | 1 Tolgee | 2025-09-11 | N/A | 2.7 LOW |
Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2 | |||||
CVE-2025-53825 | 1 Dokploy | 1 Dokploy | 2025-09-11 | N/A | 9.4 CRITICAL |
Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue. | |||||
CVE-2025-49829 | 1 Cyberark | 1 Conjur | 2025-09-11 | N/A | 6.5 MEDIUM |
Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | |||||
CVE-2025-53348 | 2025-09-11 | N/A | 5.3 MEDIUM | ||
Missing Authorization vulnerability in Laborator Kalium. This issue affects Kalium: from n/a through 3.18.3. | |||||
CVE-2025-39553 | 2025-09-11 | N/A | 4.3 MEDIUM | ||
Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9. | |||||
CVE-2025-39541 | 2025-09-11 | N/A | 6.5 MEDIUM | ||
Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar. This issue affects WP Simple Booking Calendar: from n/a through 2.0.13. |