Total
1593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1731 | 1 Zyxel | 9 Uos, Usg Flex 100h, Usg Flex 100hp and 6 more | 2025-10-30 | 7.8 High |
| An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. | ||||
| CVE-2025-54546 | 1 Arista | 1 Danz Monitoring Fabric | 2025-10-30 | 7.5 High |
| On affected platforms, restricted users could use SSH port forwarding to access host-internal services | ||||
| CVE-2025-54545 | 1 Arista | 1 Danz Monitoring Fabric | 2025-10-30 | 7.8 High |
| On affected platforms, a restricted user could break out of the CLI sandbox to the system shell and elevate their privileges. | ||||
| CVE-2025-12148 | 1 Search-guard | 1 Search Guard | 2025-10-30 | N/A |
| In Search Guard versions 3.1.1 and earlier, Field Masking (FM) rules are improperly enforced on fields of type IP (IP Address). While the content of these fields is properly redacted in the _source document returned by search operations, the results do return documents (hits) when searching based on a specific IP values. This allows to reconstruct the original contents of the field. Workaround - If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking. | ||||
| CVE-2025-12147 | 1 Search-guard | 1 Search Guard | 2025-10-30 | N/A |
| In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*). | ||||
| CVE-2024-25646 | 1 Sap | 1 Businessobjects Web Intelligence | 2025-10-29 | 7.7 High |
| Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. | ||||
| CVE-2025-62688 | 1 Automationdirect | 8 P1-540, P1-550, P2-550 and 5 more | 2025-10-27 | 7.1 High |
| An incorrect permission assignment for a critical resource vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an attacker with low-privileged credentials to change their role, gaining full control access to the project. | ||||
| CVE-2018-13374 | 1 Fortinet | 2 Fortiadc, Fortios | 2025-10-24 | 4.3 Medium |
| A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one. | ||||
| CVE-2025-0066 | 1 Sap | 4 Abap Platform, Netweaver Abap, Netweaver As Abap and 1 more | 2025-10-23 | 9.9 Critical |
| Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application | ||||
| CVE-2025-0064 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-23 | 8.7 High |
| Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability. | ||||
| CVE-2025-12004 | 1 Mediawiki | 1 Mediawiki | 2025-10-23 | N/A |
| Incorrect Permission Assignment for Critical Resource vulnerability in The Wikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse. Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - Lockdown Extension: from master before 1.42. | ||||
| CVE-2019-15752 | 3 Apache, Docker, Microsoft | 3 Geode, Docker, Windows | 2025-10-22 | 7.8 High |
| Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. | ||||
| CVE-2025-45468 | 1 Devsapp | 1 Fc-stable-diffusion | 2025-10-21 | 8.8 High |
| Insecure permissions in fc-stable-diffusion-plus v1.0.18 allows attackers to escalate privileges and compromise the customer cloud account. | ||||
| CVE-2025-8886 | 1 Usta | 1 Aybs | 2025-10-21 | 6.7 Medium |
| Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass.This issue affects Aybs Interaktif: from 2024 through 28082025. | ||||
| CVE-2024-45497 | 1 Redhat | 2 Jboss Fuse, Openshift | 2025-10-21 | 7.6 High |
| A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties. | ||||
| CVE-2025-62251 | 1 Liferay | 2 Dxp, Portal | 2025-10-20 | N/A |
| Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 GA though update 36 shows content to users who do not have permission to view it via the Menu Display Widget. This security flaw could result in sensitive information being exposed to unauthorized users. | ||||
| CVE-2025-57741 | 2 Apple, Fortinet | 3 Macos, Forticlient, Forticlientmac | 2025-10-20 | 7 High |
| An Incorrect Permission Assignment for Critical Resource vulnerability [CWE-732] in FortiClientMac 7.4.0 through 7.4.3, 7.2.0 through 7.2.11, 7.0 all versions may allow a local attacker to run arbitrary code or commands via LaunchDaemon hijacking. | ||||
| CVE-2025-31702 | 1 Dahua | 2 Ipc, Sd | 2025-10-20 | 6.8 Medium |
| A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files through specific HTTP request. This may cause tampering with admin password, leading to privilege escalation. Systems with only admin account are not affected. | ||||
| CVE-2025-10751 | 1 Macenhance | 1 Macforge | 2025-10-17 | N/A |
| MacForge contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects MacForge: 1.2.0 Beta 1. | ||||
| CVE-2025-45471 | 1 Lumigo | 1 Measure-cold-start | 2025-10-14 | 8.8 High |
| Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account. | ||||