Total
469 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49867 | 2025-07-04 | 9.8 Critical | ||
| Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation. This issue affects RealHomes: from n/a through 4.4.0. | ||||
| CVE-2025-23970 | 2025-07-04 | 9.8 Critical | ||
| Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking allows Privilege Escalation. This issue affects Service Finder Booking: from n/a through 6.0. | ||||
| CVE-2025-45006 | 2025-07-03 | 9.1 Critical | ||
| Improper mstatus.SUM bit retention (non-zero) in Open-Source RISC-V Processor commit f517abb violates privileged spec constraints, enabling potential physical memory access attacks. | ||||
| CVE-2025-27021 | 2025-07-03 | 7 High | ||
| The misconfiguration in the sudoers configuration of the operating system in Infinera G42 version R6.1.3 allows low privileged OS users to read/write physical memory via devmem command line tool. This could allow sensitive information disclosure, denial of service, and privilege escalation by tampering with kernel memory. Details: The output of "sudo -l" reports the presence of "devmem" command executable as super user without using a password. This command allows to read and write an arbitrary memory area of the target device, specifying an absolute address. | ||||
| CVE-2024-25660 | 2 Infinera, Nokia | 2 Tnms, Transcend Network Management System | 2025-07-03 | 9 Critical |
| The WebDAV service in Infinera TNMS (Transcend Network Management System) 19.10.3 allows a low-privileged remote attacker to conduct unauthorized file operations, because of execution with unnecessary privileges. | ||||
| CVE-2025-47561 | 2025-07-03 | 8.8 High | ||
| Incorrect Privilege Assignment vulnerability in PT Norther Lights Production MapSVG allows Privilege Escalation.This issue affects MapSVG: from n/a before 8.6.13. | ||||
| CVE-2025-2955 | 1 Totolink | 2 A3000ru, A3000ru Firmware | 2025-07-02 | 5.3 Medium |
| A vulnerability has been found in TOTOLINK A3000RU up to 5.9c.5185 and classified as problematic. This vulnerability affects unknown code of the file /cgi-bin/ExportIbmsConfig.sh of the component IBMS Configuration File Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-2688 | 1 Totolink | 2 A3000ru, A3000ru Firmware | 2025-07-02 | 4.3 Medium |
| A vulnerability classified as problematic was found in TOTOLINK A3000RU up to 5.9c.5185. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/ExportSyslog.sh of the component Syslog Configuration File Handler. The manipulation leads to improper access controls. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5791 | 1 Redhat | 3 Enterprise Linux, Openshift, Trusted Profile Analyzer | 2025-07-02 | 7.1 High |
| A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list. | ||||
| CVE-2025-52726 | 2025-06-30 | 8.6 High | ||
| Incorrect Privilege Assignment vulnerability in pebas CouponXxL Custom Post Types allows Privilege Escalation. This issue affects CouponXxL Custom Post Types: from n/a through 3.0. | ||||
| CVE-2025-6765 | 2025-06-30 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in Intelbras InControl 2.21.60.9. This issue affects some unknown processing of the file /v1/operador/ of the component HTTP PUT Request Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6735 | 2025-06-30 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in juzaweb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6736 | 2025-06-30 | 6.3 Medium | ||
| A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-0135 | 1 Paloaltonetworks | 2 Globalprotect, Globalprotect App | 2025-06-27 | 3.3 Low |
| An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtectâ„¢ App on macOS devices enables a locally authenticated non administrative user to disable the app. The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected. | ||||
| CVE-2025-6702 | 2025-06-27 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6532 | 2025-06-26 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | ||||
| CVE-2025-23260 | 2025-06-26 | 5 Medium | ||
| NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure. | ||||
| CVE-2025-6531 | 2025-06-26 | 4.3 Medium | ||
| A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | ||||
| CVE-2025-6525 | 2025-06-26 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in 70mai 1S up to 20250611. This vulnerability affects unknown code of the file /cgi-bin/Config.cgi?action=set of the component Configuration Handler. The manipulation leads to improper authorization. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6527 | 2025-06-26 | 3.1 Low | ||
| A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||