Total
319133 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59513 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1607 and 22 more | 2025-11-21 | 5.5 Medium |
| Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59512 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1607 and 21 more | 2025-11-21 | 7.8 High |
| Improper access control in Customer Experience Improvement Program (CEIP) allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59511 | 1 Microsoft | 20 Windows, Windows 10, Windows 10 1809 and 17 more | 2025-11-21 | 7.8 High |
| External control of file name or path in Windows WLAN Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59510 | 1 Microsoft | 25 Remote, Windows, Windows 10 and 22 more | 2025-11-21 | 5.5 Medium |
| Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | ||||
| CVE-2025-59509 | 1 Microsoft | 20 Windows, Windows 10, Windows 10 1809 and 17 more | 2025-11-21 | 5.5 Medium |
| Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59508 | 1 Microsoft | 22 Windows, Windows 10, Windows 10 1607 and 19 more | 2025-11-21 | 7 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59507 | 1 Microsoft | 22 Windows, Windows 10, Windows 10 1607 and 19 more | 2025-11-21 | 7 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59506 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1607 and 21 more | 2025-11-21 | 7 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59505 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1607 and 21 more | 2025-11-21 | 7.8 High |
| Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-59504 | 1 Microsoft | 2 Azure Monitor, Azure Monitor Agent | 2025-11-21 | 7.3 High |
| Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally. | ||||
| CVE-2025-13223 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-21 | 8.8 High |
| Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-58034 | 1 Fortinet | 1 Fortiweb | 2025-11-21 | 6.7 Medium |
| An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. | ||||
| CVE-2025-64446 | 1 Fortinet | 1 Fortiweb | 2025-11-21 | 9.4 Critical |
| A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. | ||||
| CVE-2025-66112 | 2025-11-21 | 4.3 Medium | ||
| Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4. | ||||
| CVE-2025-66091 | 2025-11-21 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5. | ||||
| CVE-2025-64483 | 2025-11-21 | N/A | ||
| Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | ||||
| CVE-2025-13470 | 2025-11-21 | 7.5 High | ||
| In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets). Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path. | ||||
| CVE-2025-13132 | 2025-11-21 | 7.4 High | ||
| This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | ||||
| CVE-2025-11243 | 1 Shelly | 1 Pro 4pm | 2025-11-21 | N/A |
| Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network. | ||||
| CVE-2025-10054 | 2025-11-21 | 5.3 Medium | ||
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role. | ||||