Total
2885 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15119 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2026-01-07 | 3.1 Low |
| A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59683 | 1 Pexip | 2 Infinity, Pexip Infinity | 2026-01-05 | 8.2 High |
| Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service. | ||||
| CVE-2025-66378 | 1 Pexip | 2 Infinity, Pexip Infinity | 2026-01-05 | 5.9 Medium |
| Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. | ||||
| CVE-2025-58052 | 1 Galette | 1 Galette | 2026-01-05 | 8.1 High |
| Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue. | ||||
| CVE-2024-31452 | 1 Openfga | 1 Openfga | 2026-01-05 | 8.1 High |
| OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3. | ||||
| CVE-2025-9056 | 1 Tecno | 2 Audiolink, Com.transsion.audiosmartconnect | 2026-01-02 | 5.3 Medium |
| Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. | ||||
| CVE-2024-2231 | 1 2code | 1 Himer | 2026-01-02 | 6.5 Medium |
| The allows any authenticated user to join a private group due to a missing authorization check on a function | ||||
| CVE-2024-6695 | 1 Cozmoslabs | 1 Profile Builder | 2026-01-02 | 9.8 Critical |
| it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process. | ||||
| CVE-2025-68938 | 1 Gitea | 1 Gitea | 2026-01-02 | 4.3 Medium |
| Gitea before 1.25.2 mishandles authorization for deletion of releases. | ||||
| CVE-2025-68940 | 1 Gitea | 1 Gitea | 2026-01-02 | 3.1 Low |
| In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | ||||
| CVE-2025-68941 | 1 Gitea | 1 Gitea | 2026-01-02 | 4.9 Medium |
| Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | ||||
| CVE-2025-53922 | 1 Galette | 1 Galette | 2026-01-02 | 4.9 Medium |
| Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue. | ||||
| CVE-2025-15085 | 1 Youlai | 1 Youlai-mall | 2025-12-31 | 4.3 Medium |
| A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-13767 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.3 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | ||||
| CVE-2025-64641 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.1 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts | ||||
| CVE-2025-15126 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 3.1 Low |
| A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15120 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 3.1 Low |
| A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15122 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 3.1 Low |
| A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15123 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 3.1 Low |
| A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15124 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 3.1 Low |
| A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||