Total
7753 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1299 | 1 Gitlab | 1 Gitlab | 2025-07-28 | 4.3 Medium |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request. | ||||
| CVE-2025-3557 | 1 Scriptandtools | 1 Ecommerce-website-in-php | 2025-07-17 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2876 | 2 Melapress, Wordpress | 2 Melapress Login Security, Wordpress | 2025-07-17 | 5.3 Medium |
| The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user. | ||||
| CVE-2024-5820 | 1 Stitionai | 1 Devika | 2025-07-15 | 8.8 High |
| An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery. | ||||
| CVE-2024-11724 | 1 Wpeka | 1 Wp Cookie Consent | 2025-07-14 | 4.3 Medium |
| The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts. | ||||
| CVE-2025-26372 | 1 Q-free | 1 Maxtime | 2025-07-13 | 7.1 High |
| A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests. | ||||
| CVE-2023-27460 | 1 Codepeople | 1 Cp Contact Form With Paypal | 2025-07-12 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34. | ||||
| CVE-2023-28494 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-07-12 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31. | ||||
| CVE-2025-24972 | 1 Discourse | 1 Discourse | 2025-07-12 | 4.3 Medium |
| Discourse is an open-source discussion platform. Prior to versions `3.3.4` on the `stable` branch and `3.4.0.beta5` on the `beta` branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions `3.3.4` and `3.4.0.beta5` contain a patch for the issue. A workaround is available. If a user disables chat in their preferences then they cannot be added to new group chats. | ||||
| CVE-2025-26374 | 1 Q-free | 1 Maxtime | 2025-07-12 | 6.5 Medium |
| A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests. | ||||
| CVE-2024-10542 | 1 Cleantalk | 2 Anti-spam, Antispam | 2025-07-12 | 9.8 Critical |
| The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. | ||||
| CVE-2024-5784 | 1 Themeum | 1 Tutor Lms | 2025-07-11 | 7.1 High |
| The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc. | ||||
| CVE-2024-10717 | 1 Wpmonks | 1 Styler For Ninja Forms | 2025-07-11 | 6.5 Medium |
| The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value. | ||||
| CVE-2024-8771 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-07-10 | 4.3 Medium |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages. | ||||
| CVE-2018-9382 | 1 Google | 1 Android | 2025-07-10 | 7.8 High |
| In multiple functions of WifiServiceImpl.java, there is a possible way to activate Wi-Fi hotspot from a non-owner profile due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48916 | 1 Joshfabean | 1 Bookable Calendar | 2025-07-10 | 6.5 Medium |
| Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13. | ||||
| CVE-2025-7133 | 1 Codeastro | 1 Online Movie Ticket Booking System | 2025-07-09 | 4.3 Medium |
| A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-38179 | 1 Microsoft | 1 Azure Stack Hci | 2025-07-08 | 8.8 High |
| Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability | ||||
| CVE-2024-38190 | 1 Microsoft | 1 Power Platform | 2025-07-08 | 8.6 High |
| Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector. | ||||
| CVE-2024-46450 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-07-07 | 8.1 High |
| Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. | ||||