Total
2444 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-39955 | 3 Debian, Fedoraproject, Owasp | 3 Debian Linux, Fedora, Owasp Modsecurity Core Rule Set | 2025-11-03 | 7.3 High |
| The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. | ||||
| CVE-2025-43307 | 1 Apple | 1 Macos | 2025-11-03 | 4 Medium |
| This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | ||||
| CVE-2025-59420 | 1 Authlib | 1 Authlib | 2025-11-03 | 7.5 High |
| Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4. | ||||
| CVE-2023-38035 | 1 Ivanti | 1 Mobileiron Sentry | 2025-10-31 | 9.8 Critical |
| A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. | ||||
| CVE-2025-62651 | 2 Rbi, Restaurant Brands International | 2 Restaurant Brands International Assistant, Assistant Platform | 2025-10-31 | 6.5 Medium |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface. | ||||
| CVE-2025-62647 | 2 Rbi, Restaurant Brands International | 2 Restaurant Brands International Assistant, Assistant Platform | 2025-10-31 | 5 Medium |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path. | ||||
| CVE-2025-62648 | 2 Rbi, Restaurant Brands International | 2 Restaurant Brands International Assistant, Assistant Platform | 2025-10-31 | 6.4 Medium |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume. | ||||
| CVE-2022-41091 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-10-30 | 5.4 Medium |
| Windows Mark of the Web Security Feature Bypass Vulnerability | ||||
| CVE-2023-21715 | 1 Microsoft | 1 365 Apps | 2025-10-30 | 7.3 High |
| Microsoft Publisher Security Feature Bypass Vulnerability | ||||
| CVE-2024-47876 | 2 Sakailms, Sakaiproject | 2 Sakai, Sakai | 2025-10-30 | 8.8 High |
| Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. | ||||
| CVE-2024-53553 | 1 Opexustech | 1 Foiaxpress Public Access Link | 2025-10-29 | 9.1 Critical |
| An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests. | ||||
| CVE-2025-11971 | 1 Gitlab | 1 Gitlab | 2025-10-28 | 6.5 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits. | ||||
| CVE-2023-20269 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense | 2025-10-28 | 5 Medium |
| A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability. | ||||
| CVE-2021-3493 | 1 Canonical | 1 Ubuntu Linux | 2025-10-28 | 8.8 High |
| The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. | ||||
| CVE-2025-21479 | 1 Qualcomm | 150 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 147 more | 2025-10-28 | 8.6 High |
| Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. | ||||
| CVE-2025-21480 | 1 Qualcomm | 152 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 149 more | 2025-10-28 | 8.6 High |
| Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. | ||||
| CVE-2025-11888 | 4 Elementor, Roxnor, Woocommerce and 1 more | 4 Elementor, Shopengine Elementor Woocommerce Builder Addon, Woocommerce and 1 more | 2025-10-27 | 2.7 Low |
| The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses. | ||||
| CVE-2025-11581 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-11580 | 1 Powerjob | 1 Powerjob | 2025-10-27 | 5.3 Medium |
| A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2019-7192 | 1 Qnap | 2 Photo Station, Qts | 2025-10-27 | 9.8 Critical |
| This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions. | ||||