Total
2291 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-21691 | 2025-05-04 | 7.1 High | ||
| In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat()' system call was added in commit cf264e1329fb ("cachestat: implement cachestat syscall"), it was meant to be a much more convenient (and performant) version of mincore() that didn't need mapping things into the user virtual address space in order to work. But it ended up missing the "check for writability or ownership" fix for mincore(), done in commit 134fca9063ad ("mm/mincore.c: make mincore() more conservative"). This just adds equivalent logic to 'cachestat()', modified for the file context (rather than vma). | ||||
| CVE-2024-57683 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 4.3 Medium |
| An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request. | ||||
| CVE-2024-57681 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 5.3 Medium |
| An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request. | ||||
| CVE-2024-57680 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 5.3 Medium |
| An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request. | ||||
| CVE-2024-57679 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 6.5 Medium |
| An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request. | ||||
| CVE-2024-57678 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 6.5 Medium |
| An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted POST request. | ||||
| CVE-2024-57677 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 6.5 Medium |
| An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request. | ||||
| CVE-2024-57676 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-05-02 | 6.5 Medium |
| An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request. | ||||
| CVE-2023-34051 | 1 Vmware | 1 Aria Operations For Logs | 2025-05-02 | 9.8 Critical |
| VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. | ||||
| CVE-2025-46569 | 2025-05-02 | 8.1 High | ||
| Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons. | ||||
| CVE-2025-40619 | 2025-05-02 | N/A | ||
| Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles. | ||||
| CVE-2025-23244 | 1 Nvidia | 1 Gpu Display Driver | 2025-05-02 | 7.8 High |
| NVIDIA GPU Display Driver for Linux contains a vulnerability which could allow an unprivileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2022-3819 | 1 Gitlab | 1 Gitlab | 2025-05-01 | 3.5 Low |
| An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. | ||||
| CVE-2025-27188 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-05-01 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-43433 | 1 Moodle | 1 Moodle | 2025-05-01 | 5.3 Medium |
| A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users. | ||||
| CVE-2024-48176 | 1 Lylme | 1 Lylme Spage | 2025-05-01 | 9.8 Critical |
| Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend. | ||||
| CVE-2024-39871 | 1 Siemens | 1 Sinema Remote Connect Server | 2025-05-01 | 6.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to. | ||||
| CVE-2025-24206 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-05-01 | 7.7 High |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to bypass authentication policy. | ||||
| CVE-2022-42978 | 1 Atlassian | 1 Confluence Data Center | 2025-04-30 | 7.5 High |
| In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system. | ||||
| CVE-2024-42773 | 2 Jayesh, Kashipara | 2 Hotel Management System, Hotel Management System | 2025-04-30 | 9.1 Critical |
| An Incorrect Access Control vulnerability was found in /admin/edit_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to edit the valid hotel room entries in the administrator section. | ||||