Total
4336 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57213 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57212 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | ||||
| CVE-2025-57210 | 1 Fuyang Lipengjun | 1 Platform | 2025-12-05 | 7.5 High |
| Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | ||||
| CVE-2025-46608 | 1 Dell | 1 Data Lakehouse | 2025-12-05 | 9.1 Critical |
| Dell Data Lakehouse, versions prior to 1.6.0.0, contain(s) an Improper Access Control vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. This vulnerability is considered Critical, as it may result in unauthorized access with elevated privileges, compromising system integrity and customer data. Dell recommends customers upgrade to the latest version at the earliest opportunity. | ||||
| CVE-2025-54338 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | ||||
| CVE-2025-54563 | 1 Desktopalert | 2 Pingalert, Pingalert Application Server | 2025-12-05 | 7.5 High |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | ||||
| CVE-2025-63681 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-05 | 4.3 Medium |
| open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | ||||
| CVE-2025-57489 | 2 Shirt-pocket, Shirt Pocket | 2 Superduper\!, Superduper | 2025-12-05 | 8.1 High |
| Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | ||||
| CVE-2025-65841 | 2 Acusticaudio, Apple | 2 Aquarius Desktop, Macos | 2025-12-05 | 6.2 Medium |
| Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | ||||
| CVE-2025-55469 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 9.8 Critical |
| Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | ||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 7.5 High |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | ||||
| CVE-2025-66028 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2025-12-05 | 8.2 High |
| OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | ||||
| CVE-2025-6680 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2025-12-05 | 4.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information. | ||||
| CVE-2025-14083 | 2025-12-05 | 2.7 Low | ||
| No description is available for this CVE. | ||||
| CVE-2025-64715 | 1 Cilium | 1 Cilium | 2025-12-04 | 4 Medium |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue. | ||||
| CVE-2025-56396 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 8.8 High |
| An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | ||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 7.5 High |
| Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | ||||
| CVE-2025-62509 | 1 Filerise | 2 Filerise, Filrise | 2025-12-04 | 8.1 High |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRise’s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move. | ||||
| CVE-2025-62510 | 1 Filerise | 1 Filerise | 2025-12-04 | 8.1 High |
| FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, write, share, rename, copy/move, zip, and WebDAV paths. | ||||
| CVE-2025-37155 | 1 Hpe | 1 Arubaos-cx | 2025-12-04 | 7.8 High |
| A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system. | ||||