Total
34726 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-38647 | 1 Linux | 1 Linux Kernel | 2025-12-15 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi The following assertion is triggered on the rtw89 driver startup. It looks meaningless to hold wiphy lock on the early init stage so drop the assertion. WARNING: CPU: 7 PID: 629 at drivers/net/wireless/realtek/rtw89/sar.c:502 rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core] CPU: 7 UID: 0 PID: 629 Comm: (udev-worker) Not tainted 6.15.0+ #29 PREEMPT(lazy) Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024 RIP: 0010:rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core] Call Trace: <TASK> rtw89_sar_init+0x68/0x2c0 [rtw89_core] rtw89_core_init+0x188e/0x1e50 [rtw89_core] rtw89_pci_probe+0x530/0xb50 [rtw89_pci] local_pci_probe+0xd9/0x190 pci_call_probe+0x183/0x540 pci_device_probe+0x171/0x2c0 really_probe+0x1e1/0x890 __driver_probe_device+0x18c/0x390 driver_probe_device+0x4a/0x120 __driver_attach+0x1a0/0x530 bus_for_each_dev+0x10b/0x190 bus_add_driver+0x2eb/0x540 driver_register+0x1a3/0x3a0 do_one_initcall+0xd5/0x450 do_init_module+0x2cc/0x8f0 init_module_from_file+0xe1/0x150 idempotent_init_module+0x226/0x760 __x64_sys_finit_module+0xcd/0x150 do_syscall_64+0x94/0x380 entry_SYSCALL_64_after_hwframe+0x76/0x7e Found by Linux Verification Center (linuxtesting.org). | ||||
| CVE-2025-43404 | 1 Apple | 2 Macos, Macos Tahoe | 2025-12-15 | 3.3 Low |
| A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | ||||
| CVE-2025-43393 | 1 Apple | 2 Macos, Macos Tahoe | 2025-12-15 | 5.2 Medium |
| A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | ||||
| CVE-2025-43388 | 1 Apple | 2 Macos, Macos Tahoe | 2025-12-15 | 3.3 Low |
| An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | ||||
| CVE-2025-43351 | 1 Apple | 2 Macos, Macos Tahoe | 2025-12-15 | 5.5 Medium |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | ||||
| CVE-2025-20158 | 1 Cisco | 10 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 7 more | 2025-12-15 | 4.4 Medium |
| A vulnerability in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials with SSH access on the affected device. SSH access is disabled by default. This vulnerability is due to insufficient validation of user-supplied input by the debug shell of an affected device. An attacker could exploit this vulnerability by sending a crafted SSH client command to the CLI. A successful exploit could allow the attacker to access sensitive information on the underlying operating system. | ||||
| CVE-2025-14528 | 1 Dlink | 2 Dir-803, Dir-803 Firmware | 2025-12-15 | 5.3 Medium |
| A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-23184 | 2 Apache, Redhat | 2 Cxf, Jboss Enterprise Application Platform | 2025-12-15 | 5.9 Medium |
| A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients). | ||||
| CVE-2024-56043 | 2 Vibethemes, Wordpress | 2 Wordpress Learning Management System, Wordpress | 2025-12-12 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in VibeThemes WPLMS allows Privilege Escalation.This issue affects WPLMS: from n/a through 1.9.9. | ||||
| CVE-2025-36912 | 1 Google | 1 Android | 2025-12-12 | 6.5 Medium |
| In cellular modem, there is a possible denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-12426 | 2 Ays-pro, Wordpress | 2 Quiz Maker, Wordpress | 2025-12-12 | 5.3 Medium |
| The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question. | ||||
| CVE-2025-14330 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-12-11 | 9.8 Critical |
| JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | ||||
| CVE-2025-65594 | 2 Opensis, Os4ed | 2 Opensis, Opensis | 2025-12-11 | 8.1 High |
| OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. | ||||
| CVE-2025-14324 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-12-11 | 9.8 Critical |
| JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | ||||
| CVE-2025-21073 | 1 Samsung | 2 Android, Mobile Devices | 2025-12-11 | 6.8 Medium |
| Insecure default configuration in USB connection mode prior to SMR Nov-2025 Release 1 allows privileged physical attackers to access user data. User interaction is required for triggering this vulnerability. | ||||
| CVE-2025-14198 | 1 Verysync | 1 Verysync | 2025-12-11 | 5.3 Medium |
| A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12558 | 2 Fastlinemedia, Wordpress | 2 Beaver Builder, Wordpress | 2025-12-11 | 4.3 Medium |
| The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments. | ||||
| CVE-2025-63721 | 1 Hummerrisk | 1 Hummerrisk | 2025-12-11 | 9.8 Critical |
| HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | ||||
| CVE-2025-43376 | 1 Apple | 7 Ios, Ipados, Iphone Os and 4 more | 2025-12-10 | 7.5 High |
| A logic issue was addressed with improved state management. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on. | ||||
| CVE-2024-0353 | 1 Eset | 11 Endpoint Antivirus, Endpoint Security, File Security and 8 more | 2025-12-10 | 7.8 High |
| Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission. | ||||