Total
1614 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53789 | 2025-08-13 | 7.8 High | ||
| Missing authentication for critical function in Windows StateRepository API allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-54864 | 1 Nixos | 1 Hydra | 2025-08-12 | N/A |
| Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy. | ||||
| CVE-2025-41686 | 2025-08-12 | 7.8 High | ||
| A low-privileged local attacker can exploit improper permissions on nssm.exe to escalate their privileges and gain administrative access. | ||||
| CVE-2025-1754 | 1 Gitlab | 1 Gitlab | 2025-08-12 | 5.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage. | ||||
| CVE-2025-54478 | 1 Mattermost | 1 Mattermost | 2025-08-12 | 7.2 High |
| Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint. | ||||
| CVE-2025-53191 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-08-12 | 7.7 High |
| Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: before <3.08.04-s01. | ||||
| CVE-2025-44004 | 1 Mattermost | 1 Mattermost | 2025-08-12 | 7.2 High |
| Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint. | ||||
| CVE-2025-7677 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-08-12 | 5.1 Medium |
| Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: All versions. | ||||
| CVE-2025-7679 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-08-12 | 7.4 High |
| Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: All versions. | ||||
| CVE-2025-8284 | 1 Packet Power | 2 Eg, Emx | 2025-08-12 | 9.8 Critical |
| By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions. | ||||
| CVE-2025-5095 | 1 Burk | 1 Arc Solo | 2025-08-12 | 9.8 Critical |
| Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy. | ||||
| CVE-2025-8279 | 1 Gitlab | 2 Gitlab-language-server, Language Server | 2025-08-11 | 8.7 High |
| Insufficient input validation within GitLab Language Server 7.6.0 and later before 7.30.0 allows arbitrary GraphQL query execution | ||||
| CVE-2023-42121 | 2 Control-webpanel, Control Web Panel | 2 Webpanel, Control Web Panel | 2025-08-09 | N/A |
| Control Web Panel Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Control Web Panel. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of authentication within the web interface. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of a valid CWP user. Was ZDI-CAN-20582. | ||||
| CVE-2023-41183 | 1 Netgear | 2 Rbr760, Rbr760 Firmware | 2025-08-08 | N/A |
| NETGEAR Orbi 760 SOAP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR Orbi 760 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the SOAP API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20524. | ||||
| CVE-2023-44413 | 2 D-link, Dlink | 2 D-view, D-view 8 | 2025-08-07 | 7.5 High |
| D-Link D-View shutdown_coreserver Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the shutdown_coreserver action. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-19572. | ||||
| CVE-2025-6226 | 1 Mattermost | 1 Mattermost | 2025-08-07 | 6.5 Medium |
| Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | ||||
| CVE-2012-10030 | 1 Freefloat | 1 Ftp Server | 2025-08-06 | N/A |
| FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction. | ||||
| CVE-2014-125113 | 1 Quest | 1 Kace Systems Management Appliance | 2025-08-06 | N/A |
| An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths. | ||||
| CVE-2023-37325 | 2 D-link, Dlink | 3 Dap-2622, Dap-2622, Dap-2622 Firmware | 2025-08-06 | N/A |
| D-Link DAP-2622 DDP Set SSID List Missing Authentication Vulnerability. This vulnerability allows network-adjacent attackers to make unauthorized changes to device configuration on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DDP service. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to manipulate wireless authentication settings. . Was ZDI-CAN-20104. | ||||
| CVE-2025-48814 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2025-08-05 | 7.5 High |
| Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an unauthorized attacker to bypass a security feature over a network. | ||||