Total 319133 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-59513 1 Microsoft 25 Windows, Windows 10, Windows 10 1607 and 22 more 2025-11-21 5.5 Medium
Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally.
CVE-2025-59512 1 Microsoft 24 Windows, Windows 10, Windows 10 1607 and 21 more 2025-11-21 7.8 High
Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally.
CVE-2025-59511 1 Microsoft 20 Windows, Windows 10, Windows 10 1809 and 17 more 2025-11-21 7.8 High
External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally.
CVE-2025-59510 1 Microsoft 25 Remote, Windows, Windows 10 and 22 more 2025-11-21 5.5 Medium
Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally.
CVE-2025-59509 1 Microsoft 20 Windows, Windows 10, Windows 10 1809 and 17 more 2025-11-21 5.5 Medium
Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally.
CVE-2025-59508 1 Microsoft 22 Windows, Windows 10, Windows 10 1607 and 19 more 2025-11-21 7 High
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.
CVE-2025-59507 1 Microsoft 22 Windows, Windows 10, Windows 10 1607 and 19 more 2025-11-21 7 High
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.
CVE-2025-59506 1 Microsoft 24 Windows, Windows 10, Windows 10 1607 and 21 more 2025-11-21 7 High
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2025-59505 1 Microsoft 24 Windows, Windows 10, Windows 10 1607 and 21 more 2025-11-21 7.8 High
Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.
CVE-2025-59504 1 Microsoft 2 Azure Monitor, Azure Monitor Agent 2025-11-21 7.3 High
Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally.
CVE-2025-13223 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2025-11-21 8.8 High
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2025-58034 1 Fortinet 1 Fortiweb 2025-11-21 6.7 Medium
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
CVE-2025-64446 1 Fortinet 1 Fortiweb 2025-11-21 9.4 Critical
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
CVE-2025-66112 2025-11-21 4.3 Medium
Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4.
CVE-2025-66091 2025-11-21 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5.
CVE-2025-64483 2025-11-21 N/A
Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0.
CVE-2025-13470 2025-11-21 7.5 High
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path.
CVE-2025-13132 2025-11-21 7.4 High
This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.)
CVE-2025-11243 1 Shelly 1 Pro 4pm 2025-11-21 N/A
Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network.
CVE-2025-10054 2025-11-21 5.3 Medium
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role.