Total
2288 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8807 | 1 Tianti Project | 1 Tianti | 2025-08-12 | 6.3 Medium |
| A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-41979 | 2025-08-12 | 7.1 High | ||
| A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application. | ||||
| CVE-2025-55077 | 1 Tyler Technologies | 1 Erp Pro 9 Saas | 2025-08-12 | 7.4 High |
| Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the privileges of the authenticated user. Tyler Technologies deployed hardened remote Windows environment settings to all ERP Pro 9 SaaS customer environments as of 2025-08-01. | ||||
| CVE-2025-42951 | 1 Sap | 1 Business One | 2025-08-12 | 8.8 High |
| Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application. | ||||
| CVE-2025-8796 | 1 Litmus Project | 1 Litmus | 2025-08-12 | 5.4 Medium |
| A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-54888 | 1 Fedify Project | 1 Fedify | 2025-08-12 | N/A |
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5. | ||||
| CVE-2025-3879 | 1 Hashicorp | 2 Vault, Vault Enterprise | 2025-08-12 | 6.6 Medium |
| Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. | ||||
| CVE-2025-5071 | 1 Meowapps | 1 Ai Engine | 2025-08-11 | 8.8 High |
| The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments. | ||||
| CVE-2025-21450 | 1 Qualcomm | 217 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 214 more | 2025-08-11 | 9.1 Critical |
| Cryptographic issue occurs due to use of insecure connection method while downloading. | ||||
| CVE-2025-26526 | 1 Moodle | 1 Moodle | 2025-08-08 | 6.5 Medium |
| Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. | ||||
| CVE-2025-0765 | 1 Gitlab | 1 Gitlab | 2025-08-08 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses. | ||||
| CVE-2025-0652 | 1 Gitlab | 1 Gitlab | 2025-08-08 | 4.3 Medium |
| An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only. | ||||
| CVE-2025-8533 | 1 Flexibits | 1 Fantastical | 2025-08-07 | N/A |
| A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16. | ||||
| CVE-2024-31409 | 1 Cyberpower | 2 Powerpanel, Powerpanel Business | 2025-08-07 | 6.5 Medium |
| Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device. | ||||
| CVE-2025-20332 | 1 Cisco | 1 Identity Services Engine Software | 2025-08-07 | 4.3 Medium |
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify descriptions of files on a specific page. To exploit this vulnerability, an attacker would need valid read-only Administrator credentials. | ||||
| CVE-2025-26531 | 1 Moodle | 1 Moodle | 2025-08-07 | 3.1 Low |
| Insufficient capability checks made it possible to disable badges a user does not have permission to access. | ||||
| CVE-2025-26532 | 1 Moodle | 1 Moodle | 2025-08-06 | 3.1 Low |
| Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. | ||||
| CVE-2025-0781 | 2 Debian, Flightgear | 2 Debian Linux, Simgear | 2025-08-06 | 8.6 High |
| An attacker can bypass the sandboxing of Nasal scripts and arbitrarily write to any file path that the user has permission to modify at the operating-system level. | ||||
| CVE-2025-0516 | 1 Gitlab | 1 Gitlab | 2025-08-06 | 4.3 Medium |
| Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data. | ||||
| CVE-2024-7296 | 1 Gitlab | 1 Gitlab | 2025-08-06 | 2.7 Low |
| An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users. | ||||