Total
379 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66204 | 1 Wbce | 1 Wbce Cms | 2025-12-11 | 8.1 High |
| WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | ||||
| CVE-2024-38092 | 1 Microsoft | 1 Azure Cyclecloud | 2025-12-09 | 8.8 High |
| Azure CycleCloud Elevation of Privilege Vulnerability | ||||
| CVE-2024-38070 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2025-12-09 | 7.8 High |
| Windows LockDown Policy (WLDP) Security Feature Bypass Vulnerability | ||||
| CVE-2024-38058 | 1 Microsoft | 20 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 17 more | 2025-12-09 | 6.8 Medium |
| BitLocker Security Feature Bypass Vulnerability | ||||
| CVE-2025-62453 | 2 Github, Microsoft | 2 Copilot, Visual Studio Code | 2025-12-09 | 5 Medium |
| Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2025-34413 | 2025-12-09 | N/A | ||
| Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. Affected deployments omit Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy (with CSP delivered via HTML meta elements being inadequate). The absence of these headers weakens browser-side defenses and increases exposure to client-side attacks such as cross-site scripting, clickjacking, referer leakage, and cross-origin data disclosure. | ||||
| CVE-2025-66479 | 1 Anthropic | 1 Sandbox-runtime | 2025-12-08 | N/A |
| Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16. | ||||
| CVE-2025-64763 | 1 Envoyproxy | 1 Envoy | 2025-12-05 | 3.7 Low |
| Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. | ||||
| CVE-2025-29864 | 2 Estsoft, Microsoft | 2 Alzip, Windows | 2025-12-04 | N/A |
| Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29. | ||||
| CVE-2025-46553 | 1 Misskey | 1 Summaly | 2025-12-01 | 6.1 Medium |
| @misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey will follow redirects, despite explicitly requesting not to. Version 5.2.1 contains a patch for the issue. | ||||
| CVE-2025-24848 | 1 Intel | 2 Cip Software, Computing Improvement Program | 2025-11-26 | 6.3 Medium |
| Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-24834 | 1 Intel | 2 Cip Software, Computing Improvement Program | 2025-11-26 | 6.5 Medium |
| Protection mechanism failure for some Intel(R) CIP software before version WIN_DCA_2.4.0.11001 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via adjacent access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | ||||
| CVE-2025-65100 | 1 Ilbers | 1 Isar | 2025-11-24 | N/A |
| Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb. | ||||
| CVE-2025-12906 | 1 Google | 1 Chrome | 2025-11-21 | 5.4 Medium |
| Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-12909 | 1 Google | 1 Chrome | 2025-11-21 | 5.3 Medium |
| Insufficient policy enforcement in Devtools in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to leak cross-origin data via Devtools. (Chromium security severity: Low) | ||||
| CVE-2025-54917 | 1 Microsoft | 28 Windows, Windows 10, Windows 10 1507 and 25 more | 2025-11-20 | 4.3 Medium |
| Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2024-11734 | 1 Redhat | 3 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp | 2025-11-20 | 6.5 Medium |
| A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request. | ||||
| CVE-2023-5557 | 2 Gnome, Redhat | 6 Tracker Miners, Enterprise Linux, Rhel Aus and 3 more | 2025-11-20 | 7.5 High |
| A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability. | ||||
| CVE-2025-55886 | 1 Ard | 1 Ard | 2025-11-17 | 6.5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ARD. The flaw exists in the `fe_uid` parameter of the payment history API endpoint. An authenticated attacker can manipulate this parameter to access the payment history of other users without authorization. | ||||
| CVE-2025-59033 | 1 Microsoft | 7 Windows, Windows 10, Windows 11 and 4 more | 2025-11-17 | 7.4 High |
| The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. Entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate's TBS hash along with a 'FileAttribRef' qualifier (such as file name or version) may not be blocked, whether hypervisor-protected code integrity (HVCI) is enabled or not. NOTE: The vendor disputes this CVE ID assignment and states that the driver blocklist is intended for use with HVCI. | ||||