Total
7753 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13643 | 1 Mongodb | 1 Mongodb | 2025-12-11 | 3.1 Low |
| A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 | ||||
| CVE-2025-62247 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-11 | 6.5 Medium |
| Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances. | ||||
| CVE-2025-48600 | 1 Google | 1 Android | 2025-12-09 | 5.5 Medium |
| In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48608 | 1 Google | 1 Android | 2025-12-08 | 5.5 Medium |
| In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-5317 | 2 Apple, Bitdefender | 3 Macos, Endpoint Security, Endpoint Security Tools | 2025-12-08 | 5.5 Medium |
| An improper access restriction to a folder in Bitdefender Endpoint Security Tools for Mac (BEST) before 7.20.52.200087 allows local users with administrative privileges to bypass the configured uninstall password protection. An unauthorized user with sudo privileges can manually remove the application directory (/Applications/Endpoint Security for Mac.app/) and the related directories within /Library/Bitdefender/AVP without needing the uninstall password. | ||||
| CVE-2025-55471 | 1 Youlai | 1 Youlai-boot | 2025-12-05 | 7.5 High |
| Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | ||||
| CVE-2025-4522 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-04 | 6.5 Medium |
| The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the admin_post_donor_delete() function in versions 2.0.0 to 2.1.9. By supplying an arbitrary user_id parameter value to the wp_delete_user() function, authenticated attackers, with Subscriber-level access and above could delete arbitrary user accounts, including those of administrators. | ||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 7.5 High |
| Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | ||||
| CVE-2025-46175 | 1 Ruoyi | 1 Ruoyi | 2025-12-04 | 7.5 High |
| Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | ||||
| CVE-2025-13813 | 1 Mogublog Project | 1 Mogublog | 2025-12-03 | 5.6 Medium |
| A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65112 | 2 Pubnet Project, Ricardoboss | 2 Pubnet, Pubnet | 2025-12-03 | 9.4 Critical |
| PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3. | ||||
| CVE-2025-5888 | 1 Jsnjfz | 1 Webstack-guns | 2025-12-03 | 4.3 Medium |
| A vulnerability was found in jsnjfz WebStack-Guns 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-65669 | 1 Classroomio | 1 Classroomio | 2025-12-03 | 9.1 Critical |
| An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | ||||
| CVE-2025-9954 | 2 Acquia, Drupal | 3 Dam, Acquia Dam, Drupal | 2025-12-03 | 7.5 High |
| Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5. | ||||
| CVE-2025-41012 | 1 Tcman | 1 Gim | 2025-12-03 | 5.3 Medium |
| Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser’ in '/WS/PDAWebService.asmx'. | ||||
| CVE-2023-52177 | 1 Softlabbd | 1 Integrate Google Drive | 2025-12-02 | 5.4 Medium |
| Missing Authorization vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.3. | ||||
| CVE-2025-9825 | 1 Gitlab | 1 Gitlab | 2025-12-02 | 5 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. | ||||
| CVE-2025-52670 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-02 | 6.5 Medium |
| Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts | ||||
| CVE-2025-64349 | 2 Elog, Elog Project | 2 Elog, Elog | 2025-12-02 | 8.8 High |
| ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration. | ||||
| CVE-2025-59828 | 2 Anthropic, Anthropics | 2 Claude Code, Claude Code | 2025-11-26 | 9.8 Critical |
| Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. | ||||