Export limit exceeded: 42958 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8989 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59449 | 1 Yosmart | 1 Yolink Mqtt Broker | 2025-11-26 | 4.9 Medium |
| The YoSmart YoLink MQTT broker through 2025-10-02 does not enforce sufficient authorization controls to prevent cross-account attacks, allowing an attacker to remotely operate affected devices if the attacker obtains the associated device IDs. Because YoLink device IDs are predictable, an attacker can exploit this to gain full control over any other YoLink user's devices. | ||||
| CVE-2024-4566 | 2 Hasthemes, Wordpress | 2 Shoplentor, Wordpress | 2025-11-25 | 7.1 High |
| The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to "true". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users. | ||||
| CVE-2025-6105 | 1 Jflyfox | 1 Jfinal Cms | 2025-11-25 | 4.3 Medium |
| A vulnerability has been found in jflyfox jfinal_cms 5.0.1 and classified as problematic. This vulnerability affects unknown code of the file HOME.java. The manipulation of the argument Logout leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-5410 | 1 Mist | 1 Mist | 2025-11-25 | 4.3 Medium |
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is identified as db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | ||||
| CVE-2025-10611 | 1 Wso2 | 10 Api Control Plane, Api Manager, Carbon and 7 more | 2025-11-21 | 9.8 Critical |
| Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certain REST APIs can be bypassed, allowing them to be invoked without proper validation. Successful exploitation of this vulnerability could lead to a malicious actor gaining administrative access and performing unauthenticated and unauthorized administrative operations. | ||||
| CVE-2025-64684 | 1 Jetbrains | 1 Youtrack | 2025-11-21 | 4.5 Medium |
| In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form | ||||
| CVE-2024-9671 | 1 Redhat | 2 3scale Api Management Platform, Red Hat 3scale Amp | 2025-11-20 | 5.3 Medium |
| A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed. | ||||
| CVE-2024-2698 | 2 Freeipa, Redhat | 4 Freeipa, Enterprise Linux, Enterprise Linux Eus and 1 more | 2025-11-20 | 8.8 High |
| A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule. | ||||
| CVE-2023-5056 | 1 Redhat | 2 Enterprise Linux, Service Interconnect | 2025-11-20 | 6.8 Medium |
| A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview. | ||||
| CVE-2023-5356 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 7.3 High |
| Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integrations to execute slash commands as another user. | ||||
| CVE-2023-5198 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. | ||||
| CVE-2023-5009 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 9.6 Critical |
| An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This was a bypass of [CVE-2023-3932](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3932) showing additional impact. | ||||
| CVE-2023-4532 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. | ||||
| CVE-2023-3979 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 3.1 Low |
| An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. | ||||
| CVE-2023-3920 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. | ||||
| CVE-2023-3511 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 2 Low |
| An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of. | ||||
| CVE-2023-3509 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 3.7 Low |
| An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. | ||||
| CVE-2023-3484 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 8 High |
| An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. | ||||
| CVE-2023-2233 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 3.1 Low |
| An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects. | ||||
| CVE-2023-0120 | 1 Gitlab | 1 Gitlab | 2025-11-20 | 3.5 Low |
| An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user. | ||||