Total
4545 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-50072 | 1 Oracle | 1 Weblogic Server | 2025-07-24 | 4 Medium |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | ||||
| CVE-2021-32584 | 1 Fortinet | 1 Fortiwlc | 2025-07-24 | 4.8 Medium |
| An improper access control (CWE-284) vulnerability in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 and below, version 8.2.7 to 8.2.4, version 8.1.3 may allow an unauthenticated and remote attacker to access certain areas of the web management CGI functionality by just specifying the correct URL. The vulnerability applies only to limited CGI resources and might allow the unauthorized party to access configuration details. | ||||
| CVE-2021-22126 | 1 Fortinet | 1 Fortiwlc | 2025-07-24 | 6.5 Medium |
| A use of hard-coded password vulnerability in FortiWLC version 8.5.2 and below, version 8.4.8 and below, version 8.3.3 to 8.3.2, version 8.2.7 to 8.2.6 may allow a local, authenticated attacker to connect to the managed Access Point (Meru AP and FortiAP-U) as root using the default hard-coded username and password. | ||||
| CVE-2023-47539 | 1 Fortinet | 1 Fortimail | 2025-07-24 | 9 Critical |
| An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may allow a remote unauthenticated attacker to bypass admin login via a crafted HTTP request. | ||||
| CVE-2022-47648 | 1 Bosch | 2 B420, B420 Firmware | 2025-07-23 | 7.6 High |
| An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013). | ||||
| CVE-2025-20223 | 1 Cisco | 1 Catalyst Center | 2025-07-23 | 4.7 Medium |
| A vulnerability in Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to read and modify data in a repository that belongs to an internal service of an affected device. This vulnerability is due to insufficient enforcement of access control on HTTP requests. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device. | ||||
| CVE-2024-32124 | 1 Fortinet | 1 Fortiisolator | 2025-07-22 | 4 Medium |
| An improper access control vulnerability [CWE-284] in FortiIsolator version 2.4.4, version 2.4.3, 2.3 all versions logging component may allow a remote authenticated read-only attacker to alter logs via a crafted HTTP request. | ||||
| CVE-2025-23083 | 1 Redhat | 2 Enterprise Linux, Rhel Eus | 2025-07-22 | N/A |
| With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. | ||||
| CVE-2025-20130 | 1 Cisco | 2 Identity Services Engine, Identity Services Engine Passive Identity Connector | 2025-07-22 | 4.9 Medium |
| A vulnerability in the API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. This vulnerability is due to improper validation of the file copy function. An attacker could exploit this vulnerability by sending a crafted file upload request to a specific API endpoint. A successful exploit could allow the attacker to upload arbitrary files to an affected system. | ||||
| CVE-2025-2121 | 1 Thinkware | 2 F800 Pro, F800 Pro Firmware | 2025-07-22 | 6.3 Medium |
| A vulnerability classified as critical has been found in Thinkware Car Dashcam F800 Pro up to 20250226. Affected is an unknown function of the component File Storage. The manipulation leads to improper access controls. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-44619 | 1 Tinxy | 2 Wifi Lock Controller V1 Rf, Wifi Lock Controller V1 Rf Firmware | 2025-07-22 | 9.1 Critical |
| Tinxy WiFi Lock Controller v1 RF was discovered to be configured to transmit on an open Wi-Fi network, allowing attackers to join the network without authentication. | ||||
| CVE-2025-52166 | 2025-07-22 | 6.5 Medium | ||
| Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information. | ||||
| CVE-2025-52168 | 2025-07-22 | 6.5 Medium | ||
| Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system. | ||||
| CVE-2025-7864 | 2025-07-22 | 6.3 Medium | ||
| A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-20323 | 1 Splunk | 2 Splunk, Splunk Enterprise | 2025-07-21 | 4.3 Medium |
| In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app. | ||||
| CVE-2025-20229 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-07-21 | 8 High |
| In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks. | ||||
| CVE-2025-20324 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-07-21 | 5.4 Medium |
| In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port. | ||||
| CVE-2025-44526 | 1 Realtek | 2 Rtl8762e Software Development Kit, Rtl8762ekf-evb | 2025-07-18 | 6.5 Medium |
| Realtek RTL8762EKF-EVB RTL8762E SDK V1.4.0 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | ||||
| CVE-2025-7565 | 1 Lb-link | 2 Bl-ac3600, Bl-ac3600 Firmware | 2025-07-17 | 5.3 Medium |
| A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-50087 | 1 Oracle | 2 Mysql, Mysql Server | 2025-07-17 | 4.9 Medium |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). | ||||