Total
3871 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-26645 | 1 Microsoft | 16 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 13 more | 2025-07-07 | 8.8 High |
| Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2024-49105 | 1 Microsoft | 17 Remote Desktop Client, Windows 10 1507, Windows 10 1607 and 14 more | 2025-07-07 | 8.4 High |
| Remote Desktop Client Remote Code Execution Vulnerability | ||||
| CVE-2025-24076 | 1 Microsoft | 5 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 2 more | 2025-07-07 | 7.3 High |
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2024-20319 | 1 Cisco | 1 Ios Xr | 2025-07-07 | 4.3 Medium |
| A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP forwarding programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that could be processed by an affected device that is configured with an SNMP server. A successful exploit could allow the attacker to communicate to the device on the configured SNMP ports. Although an unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user can retrieve or modify data using SNMP requests. | ||||
| CVE-2025-6443 | 1 Mikrotik | 1 Routeros | 2025-07-06 | N/A |
| Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability. This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of remote IP addresses when processing VXLAN traffic. The issue results from the lack of validation of the remote IP address against configured values prior to allowing ingress traffic into the internal network. An attacker can leverage this vulnerability to gain access to internal network resources. Was ZDI-CAN-26415. | ||||
| CVE-2025-6837 | 1 Code-projects | 1 Library System | 2025-07-06 | 6.3 Medium |
| A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-6900 | 1 Code-projects | 1 Library System | 2025-07-06 | 6.3 Medium |
| A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-35122 | 1 Ibm | 1 I | 2025-07-03 | 2.8 Low |
| IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to a file level local denial of service caused by an insufficient authority requirement. A local non-privileged user can configure a referential constraint with the privileges of a user socially engineered to access the target file. | ||||
| CVE-2025-24994 | 1 Microsoft | 3 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 | 2025-07-03 | 7.3 High |
| Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-27153 | 2025-07-03 | 6.5 Medium | ||
| Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11. | ||||
| CVE-2025-53003 | 2025-07-03 | N/A | ||
| The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d. | ||||
| CVE-2025-45081 | 2025-07-03 | 8.8 High | ||
| Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data. | ||||
| CVE-2025-45083 | 2025-07-03 | 6.1 Medium | ||
| Incorrect access control in Ullu (Android version v2.9.929 and IOS version v2.8.0) allows attackers to bypass parental pin feature via unspecified vectors. | ||||
| CVE-2025-50405 | 2025-07-03 | 6.5 Medium | ||
| Intelbras RX1500 Router v2.2.17 and before is vulnerable to Incorrect Access Control in the FirmwareUpload function and GetFirmwareValidation function. | ||||
| CVE-2025-52101 | 2025-07-03 | 9.8 Critical | ||
| linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking. | ||||
| CVE-2025-45424 | 2025-07-03 | 5.3 Medium | ||
| Incorrect access control in Xinference before v1.4.0 allows attackers to access the Web GUI without authentication. | ||||
| CVE-2012-6068 | 1 3s-software | 1 Codesys Runtime System | 2025-07-02 | 9.8 Critical |
| The Runtime Toolkit in CODESYS Runtime System 2.3.x and 2.4.x does not require authentication, which allows remote attackers to execute commands via the command-line interface in the TCP listener service or transfer files via requests to the TCP listener service. | ||||
| CVE-2024-7476 | 1 Lunary | 1 Lunary | 2025-07-02 | N/A |
| A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3. | ||||
| CVE-2024-11137 | 1 Lunary | 1 Lunary | 2025-07-02 | N/A |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the `runId_score` in the database. The endpoint does not sufficiently validate whether the authenticated user has permission to modify the specified runId, enabling an attacker with a valid account to modify other users' runId scores by specifying different id values. This issue was fixed in version 1.6.1. | ||||
| CVE-2024-10330 | 1 Lunary | 1 Lunary | 2025-07-02 | N/A |
| In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive evaluation data. | ||||