Total
3610 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1888 | 1 Mattermost | 1 Mattermost Server | 2025-05-12 | 4.3 Medium |
| Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server | ||||
| CVE-2024-23488 | 1 Mattermost | 1 Mattermost Server | 2025-05-12 | 3.1 Low |
| Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to access files of archived channels even if the “Allow users to view archived channels” option is disabled. | ||||
| CVE-2024-1887 | 1 Mattermost | 1 Mattermost Server | 2025-05-12 | 4.3 Medium |
| Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of the public channel to fetch the posts, which will not be audited in the compliance export. | ||||
| CVE-2024-25723 | 1 Zenml | 1 Zenml | 2025-05-12 | 8.8 High |
| ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2. | ||||
| CVE-2022-2052 | 1 Trumpf | 5 Job Order Interface, Oseon, Trutops Boost and 2 more | 2025-05-10 | 9.8 Critical |
| Multiple Trumpf Products in multiple versions use default privileged Windows users and passwords. An adversary may use these accounts to remotely gain full access to the system. | ||||
| CVE-2025-4036 | 1 Xxyopen | 1 Novel | 2025-05-10 | 6.3 Medium |
| A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java of the component Chapter Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4064 | 1 Scriptandtools | 1 Online Traveling System | 2025-05-09 | 5.3 Medium |
| A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/viewenquiry.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-49842 | 1 Qualcomm | 358 Aqt1000, Aqt1000 Firmware, Ar8035 and 355 more | 2025-05-09 | 7.8 High |
| Memory corruption during memory mapping into protected VM address space due to incorrect API restrictions. | ||||
| CVE-2025-21469 | 1 Qualcomm | 40 Fastconnect 6700, Fastconnect 6700 Firmware, Fastconnect 6900 and 37 more | 2025-05-09 | 7.8 High |
| Memory corruption while processing image encoding, when input buffer length is 0 in IOCTL call. | ||||
| CVE-2025-21470 | 1 Qualcomm | 66 Aqt1000, Aqt1000 Firmware, Fastconnect 6200 and 63 more | 2025-05-09 | 7.8 High |
| Memory corruption while processing image encoding, when configuration is NULL in IOCTL parameter. | ||||
| CVE-2024-25121 | 1 Typo3 | 1 Typo3 | 2025-05-09 | 7.1 High |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. | ||||
| CVE-2024-0570 | 1 Totolink | 2 N350rt, N350rt Firmware | 2025-05-09 | 7.3 High |
| A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6265. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component. VDB-250786 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-23241 | 1 Netapp | 1 Clustered Data Ontap | 2025-05-09 | 8.1 High |
| Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period. | ||||
| CVE-2023-51774 | 1 Json-jwt Project | 1 Json-jwt | 2025-05-08 | 8.4 High |
| The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode. | ||||
| CVE-2022-40798 | 1 Ocomon Project | 1 Ocomon | 2025-05-08 | 7.5 High |
| OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a request the user can obtain the real email, sending the same request with correct email its possible to account takeover. | ||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2025-05-08 | 10 Critical |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-43429 | 1 Jenkins | 2 Compuware Topaz For Total Test, Jenkins | 2025-05-08 | 7.5 High |
| Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2016-5527 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | N/A |
| Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2016-5524. | ||||
| CVE-2016-5521 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | N/A |
| Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2016-5512. | ||||
| CVE-2016-5526 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | N/A |
| Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Apache Tomcat. | ||||