Export limit exceeded: 328750 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8989 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66736 | 1 Youlai | 1 Youlai-boot | 2026-01-06 | 7.1 High |
| youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability. | ||||
| CVE-2025-59683 | 1 Pexip | 2 Infinity, Pexip Infinity | 2026-01-05 | 8.2 High |
| Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service. | ||||
| CVE-2025-66378 | 1 Pexip | 2 Infinity, Pexip Infinity | 2026-01-05 | 5.9 Medium |
| Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. | ||||
| CVE-2025-14155 | 3 Elementor, Leap13, Wordpress | 4 Elementor, Premium Addons, Premium Addons For Elementor and 1 more | 2026-01-05 | 5.3 Medium |
| The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | ||||
| CVE-2025-58052 | 1 Galette | 1 Galette | 2026-01-05 | 8.1 High |
| Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue. | ||||
| CVE-2025-14817 | 3 Google, Tecno, Transsion | 4 Android, Factory Mode App, Hios and 1 more | 2026-01-05 | 6.5 Medium |
| The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction. | ||||
| CVE-2025-2515 | 1 Eclipse | 1 Bluechi | 2026-01-05 | 7.2 High |
| A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. | ||||
| CVE-2023-41656 | 3 Elementor, Wordpress, Wpdive | 3 Elementor, Wordpress, Better Addons For Elementor | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | ||||
| CVE-2025-14986 | 1 Temporal | 1 Temporal | 2026-01-05 | N/A |
| When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | ||||
| CVE-2025-14987 | 1 Temporal | 1 Temporal | 2026-01-05 | N/A |
| When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | ||||
| CVE-2023-52642 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-01-05 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: media: rc: bpf attach/detach requires write permission Note that bpf attach/detach also requires CAP_NET_ADMIN. | ||||
| CVE-2019-25214 | 2 Shopwp, Wpshop | 2 Shopwp, Shopwp | 2026-01-02 | 7.2 High |
| The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts. | ||||
| CVE-2025-68938 | 1 Gitea | 1 Gitea | 2026-01-02 | 4.3 Medium |
| Gitea before 1.25.2 mishandles authorization for deletion of releases. | ||||
| CVE-2025-68940 | 1 Gitea | 1 Gitea | 2026-01-02 | 3.1 Low |
| In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | ||||
| CVE-2025-68941 | 1 Gitea | 1 Gitea | 2026-01-02 | 4.9 Medium |
| Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | ||||
| CVE-2025-66022 | 2 Factionsecurity, Owasp | 2 Faction, Faction | 2026-01-02 | 9.7 Critical |
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | ||||
| CVE-2025-53922 | 1 Galette | 1 Galette | 2026-01-02 | 4.9 Medium |
| Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue. | ||||
| CVE-2025-15085 | 1 Youlai | 1 Youlai-mall | 2025-12-31 | 4.3 Medium |
| A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13767 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.3 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | ||||
| CVE-2025-64641 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.1 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts | ||||