Total
2144 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25108 | 1 Pixelfed | 1 Pixelfed | 2025-05-07 | 9.9 Critical |
| Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-23833 | 1 Openrefine | 1 Openrefine | 2025-05-07 | 7.5 High |
| OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-3272 | 2025-05-07 | N/A | ||
| Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allow authenticated users to change their password without providing their old password. This issue affects Operations Bridge Manager: 24.2, 24.4. | ||||
| CVE-2025-3476 | 2025-05-07 | N/A | ||
| Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4. | ||||
| CVE-2024-56431 | 1 Xiph | 1 Theora | 2025-05-07 | 9.8 Critical |
| oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash. | ||||
| CVE-2024-25652 | 2 Delinea, Delinea Pam | 2 Secret Server, Secret Server | 2025-05-07 | 9.8 Critical |
| In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users. | ||||
| CVE-2024-2557 | 1 Kishor-23 | 1 Food Waste Management System | 2025-05-07 | 5.3 Medium |
| A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3609 | 2025-05-07 | 5.3 Medium | ||
| The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation. | ||||
| CVE-2024-37002 | 1 Autodesk | 10 Advance Steel, Autocad, Autocad Advance Steel and 7 more | 2025-05-06 | 7.8 High |
| A maliciously crafted MODEL file, when parsed in ASMkern229A.dllthrough Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process. | ||||
| CVE-2023-6036 | 1 Miniorange | 1 Web3 - Crypto Wallet Login \& Nft Token Gating | 2025-05-06 | 9.8 Critical |
| The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | ||||
| CVE-2022-31692 | 3 Netapp, Redhat, Vmware | 4 Active Iq Unified Manager, Jboss Fuse, Openshift and 1 more | 2025-05-06 | 9.8 Critical |
| Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true) | ||||
| CVE-2025-3879 | 2025-05-05 | 6.6 Medium | ||
| Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. | ||||
| CVE-2022-42788 | 1 Apple | 1 Macos | 2025-05-05 | 5.5 Medium |
| A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Ventura 13. A malicious application may be able to read sensitive location information. | ||||
| CVE-2022-22967 | 1 Saltstack | 1 Salt | 2025-05-05 | 8.8 High |
| An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth. | ||||
| CVE-2021-37409 | 1 Intel | 26 Killer Ac 1550, Killer Ac 1550 Firmware, Killer Wi-fi 6 Ax1650 and 23 more | 2025-05-05 | 7.8 High |
| Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2021-38312 | 1 Redux | 1 Gutenberg Template Library \& Redux Framework | 2025-05-05 | 7.1 High |
| The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The `permissions_callback` used in this file only checked for the `edit_posts` capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts. | ||||
| CVE-2023-3920 | 1 Gitlab | 1 Gitlab | 2025-05-05 | 4.3 Medium |
| An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. | ||||
| CVE-2023-3444 | 1 Gitlab | 1 Gitlab | 2025-05-05 | 5.7 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches. | ||||
| CVE-2025-21691 | 2025-05-04 | 7.1 High | ||
| In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma). | ||||
| CVE-2024-57683 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 4.3 Medium |
| An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request. | ||||