Total
1083 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65033 | 1 Rallly | 1 Rallly | 2025-11-24 | 8.1 High |
| Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4. | ||||
| CVE-2025-12288 | 1 Bdtask | 2 Pharmacare, Pharmacy Management System | 2025-11-24 | 4.3 Medium |
| A vulnerability was detected in Bdtask Pharmacy Management System up to 9.4. Affected is an unknown function of the file /user/edit_user/ of the component User Profile Handler. Performing manipulation results in authorization bypass. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12086 | 2 Wordpress, Wpswings | 2 Wordpress, Return Refund And Exchange For Woocommerce | 2025-11-24 | 4.3 Medium |
| The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests. | ||||
| CVE-2025-64688 | 1 Jetbrains | 1 Youtrack | 2025-11-21 | 7.4 High |
| In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget | ||||
| CVE-2025-12766 | 1 Blackberry | 1 Athoc | 2025-11-21 | 5 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System (IWS). | ||||
| CVE-2025-63513 | 1 Kishan0725 | 1 Hospital Management System | 2025-11-20 | 6.5 Medium |
| kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality. | ||||
| CVE-2023-38201 | 3 Fedoraproject, Keylime, Redhat | 9 Fedora, Keylime, Enterprise Linux and 6 more | 2025-11-20 | 6.5 Medium |
| A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. | ||||
| CVE-2025-12427 | 2 Wordpress, Yithemes | 2 Wordpress, Yith Woocommerce Wishlist | 2025-11-20 | 5.3 Medium |
| The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale. | ||||
| CVE-2025-12524 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 5.4 Medium |
| The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | ||||
| CVE-2025-58627 | 1 Wordpress | 1 Wordpress | 2025-11-17 | 9.8 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous Core Plugin: from n/a through < 2.0.9. | ||||
| CVE-2025-8855 | 1 Optimus Software | 1 Brokerage Automation | 2025-11-15 | 8.1 High |
| Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry Information.This issue affects Brokerage Automation: before 1.1.71. | ||||
| CVE-2025-31357 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a user's plant list by knowing the username. | ||||
| CVE-2025-31933 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can check the existence of usernames in the system by querying an API. | ||||
| CVE-2025-31941 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can obtain a list of smart devices by knowing a valid username. | ||||
| CVE-2025-31949 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An authenticated attacker can obtain any plant name by knowing the plant ID. | ||||
| CVE-2025-24315 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). | ||||
| CVE-2025-24850 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An attacker can export other users' plant information. | ||||
| CVE-2025-25276 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| An unauthenticated attacker can hijack other users' devices and potentially control them. | ||||
| CVE-2025-26857 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). | ||||
| CVE-2025-27561 | 1 Growatt | 1 Cloud Portal | 2025-11-14 | 5.3 Medium |
| Unauthenticated attackers can rename "rooms" of arbitrary users. | ||||