Total
1908 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3699 | 2025-12-23 | 9.8 Critical | ||
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information. | ||||
| CVE-2025-63896 | 2 Jxl, Jxlindia | 3 Jxl Double Din Player, Jxl 9 Inch Car Android Double Din Player, Jxl 9 Inch Car Android Double Din Player Firmware | 2025-12-23 | 3.5 Low |
| An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device. | ||||
| CVE-2025-7635 | 1 Calix | 2 Calix Gigacenter Ont, Gigacenter Ont | 2025-12-22 | 7.7 High |
| Unauthenticated Telnet access vulnerability in Calix GigaCenter ONT allows root access.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE. | ||||
| CVE-2025-27019 | 2 Infinera, Nokia | 3 Mtc-9, Infinera Mtc-9, Infinera Mtc-9 Firmware | 2025-12-22 | 9.8 Critical |
| Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell.This issue affects MTC-9: from R22.1.1.0275 before R23.0. | ||||
| CVE-2025-27020 | 2 Infinera, Nokia | 3 Mtc-9, Infinera Mtc-9, Infinera Mtc-9 Firmware | 2025-12-22 | 9.8 Critical |
| Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0. | ||||
| CVE-2025-34073 | 2025-12-20 | N/A | ||
| An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process. | ||||
| CVE-2024-12847 | 1 Netgear | 2 Dgn1000, Dgn1000 Firmware | 2025-12-19 | 9.8 Critical |
| NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been observed to be exploited in the wild since at least 2017 and specifically by the Shadowserver Foundation on 2025-02-06 UTC. | ||||
| CVE-2025-34434 | 1 Wwbn | 1 Avideo | 2025-12-19 | 9.1 Critical |
| AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video. | ||||
| CVE-2023-53771 | 1 Minidvblinux | 1 Minidvblinux | 2025-12-19 | 9.8 Critical |
| MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials. | ||||
| CVE-2023-53773 | 1 Minidvblinux | 1 Minidvblinux | 2025-12-19 | 5.3 Medium |
| MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication. | ||||
| CVE-2025-65007 | 2025-12-19 | N/A | ||
| In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-65010 | 2025-12-19 | N/A | ||
| WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2024-58300 | 1 Siklu | 1 Multihaul Tg Series | 2025-12-18 | N/A |
| Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | ||||
| CVE-2025-43428 | 1 Apple | 6 Ios, Ipados, Iphone Os and 3 more | 2025-12-18 | 9.8 Critical |
| A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication. | ||||
| CVE-2025-21355 | 1 Microsoft | 1 Bing | 2025-12-17 | 8.6 High |
| Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network | ||||
| CVE-2025-21198 | 1 Microsoft | 2 Microsoft Hpc Pack 2016, Microsoft Hpc Pack 2019 | 2025-12-17 | 9 Critical |
| Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability | ||||
| CVE-2020-36894 | 1 Eibiz | 1 I-media Server Digital Signage | 2025-12-17 | 7.5 High |
| Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls. | ||||
| CVE-2020-36892 | 1 Eibiz | 1 I-media Server Digital Signage | 2025-12-17 | 9.8 Critical |
| Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication. | ||||
| CVE-2025-48572 | 1 Google | 1 Android | 2025-12-17 | 7.8 High |
| In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-14038 | 1 Enterprisedb | 1 Hybrid Manager | 2025-12-16 | 7 High |
| EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12. | ||||