DATE |
NAME |
INFO |
CWE |
|
| 2025-12-29 | MongoDB | MongoDB and MongoDB Server | CVE-2025-14847 | MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability: MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client. | CWE-130 |
| 2025-12-22 | Digiever | DS-2105 Pro | CVE-2023-52163 | Digiever DS-2105 Pro Missing Authorization Vulnerability: Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi. | CWE-862 |
| 2025-12-19 | WatchGuard | Firebox | CVE-2025-14733 | WatchGuard Firebox Out of Bounds Write Vulnerability: WatchGuard Fireware OS iked process contains an out of bounds write vulnerability in the OS iked process. This vulnerability may allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer. | CWE-787 |
| 2025-12-17 | Cisco | Multiple Products | CVE-2025-20393 | Cisco Multiple Products Improper Input Validation Vulnerability: Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. | CWE-20 |
| 2025-12-17 | SonicWall | SMA1000 appliance | CVE-2025-40602 | SonicWall SMA1000 Missing Authorization Vulnerability: SonicWall SMA1000 contains a missing authorization vulnerability that could allow for privilege escalation appliance management console (AMC) of affected devices. |
|
| 2025-12-17 | ASUS | Live Update | CVE-2025-59374 | ASUS Live Update Embedded Malicious Code Vulnerability: ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. | CWE-506 |
| 2025-12-16 | Fortinet | Multiple Products | CVE-2025-59718 | Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability: Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb contain an improper verification of cryptographic signature vulnerability that may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory. | CWE-347 |
| 2025-12-15 | Apple | Multiple Products | CVE-2025-43529 | Apple Multiple Products Use-After-Free WebKit Vulnerability: Apple iOS, iPadOS, macOS, and other Apple products contain a use-after-free vulnerability in WebKit. Processing maliciously crafted web content may lead to memory corruption. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing. | CWE-416 |
| 2025-12-15 | Gladinet | CentreStack and Triofox | CVE-2025-14611 | Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability: Gladinet CentreStack and TrioFox contain a hardcoded cryptographic keys vulnerability for their implementation of the AES cryptoscheme. This vulnerability degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. | CWE-798 |
|
2025-12-12 |
Google | Chromium |
Google Chromium Out of Bounds Memory Access Vulnerability: Google Chromium contains an out of bounds memory access vulnerability in ANGLE that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. |
||
|
2025-12-12 |
Sierra Wireless | AirLink ALEOS |
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability: Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
||
|
2025-12-11 |
OSGeo | GeoServer |
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability: OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request. |
||
|
2025-12-09 |
Microsoft | Windows |
Microsoft Windows Use After Free Vulnerability: Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. |
||
|
2025-12-09 |
RARLAB | WinRAR |
RARLAB WinRAR Path Traversal Vulnerability: RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user. |
||
|
2025-12-08 |
Array Networks | ArrayOS AG |
Array Networks ArrayOS AG OS Command Injection Vulnerability: Array Networks ArrayOS AG contains an OS command injection vulnerability that could allow an attacker to execute arbitrary commands. |
||
|
2025-12-08 |
D-Link | Routers |
D-Link Routers Buffer Overflow Vulnerability: D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
||
|
2025-12-05 |
Meta | React Server Components |
Meta React Server Components Remote Code Execution Vulnerability: Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182. |
||
|
2025-12-03 |
OpenPLC | ScadaBR |
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability: OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. |
||
|
2025-12-02 |
Android | Framework |
Android Framework Privilege Escalation Vulnerability: Android Framework contains an unspecified vulnerability that allows for privilege escalation. |
||
|
2025-12-02 |
Android | Framework |
Android Framework Information Disclosure Vulnerability: Android Framework contains an unspecified vulnerability that allows for information disclosure. |
||
|
2025-11-28 |
OpenPLC | ScadaBR |
OpenPLC ScadaBR Cross-site Scripting Vulnerability: OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm. |
||
|
2025-11-21 |
Oracle | Fusion Middleware |
Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability: Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager. |
||
|
2025-11-19 |
Google | Chromium V8 |
Google Chromium V8 Type Confusion Vulnerability: Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption. |
||
|
2025-11-18 |
Fortinet | FortiWeb |
Fortinet FortiWeb OS Command Injection Vulnerability: Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. |
||
|
2025-11-14 |
Fortinet | FortiWeb |
Fortinet FortiWeb Path Traversal Vulnerability: Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. |
||
|
2025-11-12 |
WatchGuard | Firebox |
WatchGuard Firebox Out-of-Bounds Write Vulnerability: WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code. |
||
|
2025-11-12 |
Microsoft | Windows |
Microsoft Windows Race Condition Vulnerability: Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access. |
||
|
2025-11-12 |
Gladinet | Triofox |
Gladinet Triofox Improper Access Control Vulnerability: Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete. |
||
|
2025-11-10 |
Samsung | Mobile Devices |
Samsung Mobile Devices Out-of-Bounds Write Vulnerability: Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so. This vulnerability could allow remote attackers to execute arbitrary code. |
||
|
2025-11-04 |
Gladinet | CentreStack and Triofox |
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability: Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files. |
||
|
2025-11-04 |
CWP | Control Web Panel |
CWP Control Web Panel OS Command Injection Vulnerability: CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. |
||
|
2025-10-30 |
XWiki | Platform |
XWiki Platform Eval Injection Vulnerability: XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch. |
||
|
2025-10-30 |
Broadcom | VMware Aria Operations and VMware Tools |
Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability: Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. |
||
|
2025-10-28 |
Dassault Systèmes | DELMIA Apriso |
Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability: Dassault Systèmes DELMIA Apriso contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the application. |
||
|
2025-10-28 |
Dassault Systèmes | DELMIA Apriso |
Dassault Systèmes DELMIA Apriso Code Injection Vulnerability: Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow an attacker to execute arbitrary code. |
||
|
2025-10-24 |
Microsoft | Windows |
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability: Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. |
||
|
2025-10-24 |
Adobe | Commerce and Magento |
Adobe Commerce and Magento Improper Input Validation Vulnerability: Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API. |
||
|
2025-10-22 |
Motex | LANSCOPE Endpoint Manage |
Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability: Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability allowing an attacker to execute arbitrary code by sending specially crafted packets. |
||
|
2025-10-20 |
Oracle | E-Business Suite |
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability: Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication. |
||
|
2025-10-20 |
Microsoft | Windows |
Microsoft Windows SMB Client Improper Access Control Vulnerability: Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. |
||
|
2025-10-20 |
Kentico | Xperience CMS |
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability: Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. |
||
|
2025-10-20 |
Kentico | Xperience CMS |
Kentico Xperience CMS Authentication Bypass Using an Alternate Path or Channel Vulnerability: Kentico Xperience CMS contains an authentication bypass using an alternate path or channel vulnerability that could allow an attacker to control administrative objects. |
||
|
2025-10-20 |
Apple | Multiple Products |
Apple Multiple Products Unspecified Vulnerability: Apple macOS, iOS, tvOS, Safari, and watchOS contain an unspecified vulnerability in JavaScriptCore that when processing web content may lead to arbitrary code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|
|
|
2025-10-15 |
Adobe | Experience Manager (AEM) Form |
Adobe Experience Manager Forms Code Execution Vulnerability: Adobe Experience Manager Forms in JEE contains an unspecified vulnerability that allows for arbitrary code execution. |
|
|
|
2025-10-14 |
SKYSEA | Client View |
SKYSEA Client View Improper Authentication Vulnerability: SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program. |
||
|
2025-10-14 |
Microsoft | Windows |
Microsoft Windows Improper Access Control Vulnerability: Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. |
||
|
2025-10-14 |
Microsoft | Windows |
Microsoft Windows Untrusted Pointer Dereference Vulnerability: Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges. |
||
|
2025-10-14 |
IGEL | IGEL OS |
IGEL OS Use of a Key Past its Expiration Date Vulnerability: IGEL OS contains a use of a key past its expiration date vulnerability that allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image. |
||
|
2025-10-09 |
Grafana Labs | Grafana |
Grafana Path Traversal Vulnerability: Grafana contains a path traversal vulnerability that could allow access to local files. |
||
|
2025-10-07 |
Synacor | Zimbra Collaboration Suite (ZCS) |
Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration. |
||
|
2025-10-06 |
Oracle | E-Business Suite |
Oracle E-Business Suite Unspecified Vulnerability: Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing. |
|
|
|
2025-10-06 |
Mozilla | Multiple Products |
Mozilla Multiple Products Remote Code Execution Vulnerability: Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption. |
|
|
|
2025-10-06 |
Microsoft | Windows |
Microsoft Windows Remote Code Execution Vulnerability: Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page. |
|
|
|
2025-10-06 |
Microsoft | Windows |
Microsoft Windows Out-of-Bounds Write Vulnerability: Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|
|
|
2025-10-06 |
Microsoft | Windows |
Microsoft Windows Privilege Escalation Vulnerability: Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms. |
|
|
|
2025-10-06 |
Microsoft | Internet Explorer |
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability: Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|
|
|
2025-10-06 |
Linux | Kernel |
Linux Kernel Heap Out-of-Bounds Write Vulnerability: Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. |
||
|
2025-10-02 |
Smartbedded | Meteobridge |
Smartbedded Meteobridge Command Injection Vulnerability: Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices. |
||
|
2025-10-02 |
Samsung | Mobile Devices |
Samsung Mobile Devices Out-of-Bounds Write Vulnerability: Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so which allows remote attackers to execute arbitrary code. |
||
|
2025-10-02 |
Juniper | ScreenOS |
Juniper ScreenOS Improper Authentication Vulnerability: Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device. |
||
|
2025-10-02 |
Jenkins | Jenkins |
Jenkins Remote Code Execution Vulnerability: Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism. |
|
|
|
2025-10-02 |
GNU | GNU Bash |
GNU Bash OS Command Injection Vulnerability: GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment. |
||
|
2025-09-29 |
Adminer | Adminer |
Adminer Server-Side Request Forgery Vulnerability: Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information. |
||
|
2025-09-29 |
Cisco | IOS and IOS XE |
Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability: Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. |
||
|
2025-09-29 |
Fortra | GoAnywhere MFT |
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability: Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection. |
||
|
2025-09-29 |
Libraesva | Email Security Gateway |
Libraesva Email Security Gateway Command Injection Vulnerability: Libraesva Email Security Gateway (ESG) contains a command injection vulnerability which allows command injection via a compressed e-mail attachment. |
||
|
2025-09-29 |
Sudo | Sudo |
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability: Sudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. |
||
|
2025-09-26 |
Cisco | Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense |
Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability: Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362. |
||
|
2025-09-25 |
Cisco | Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense |
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability: Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333. |
||
|
2025-09-23 |
Google | Chromium V8 |
Google Chromium V8 Type Confusion Vulnerability: Google Chromium contains a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. |
||
|
2025-09-11 |
Dassault Systèmes | DELMIA Apriso |
Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability: Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution. |
||
|
2025-09-04 |
|
Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability: Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys. This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution. |
||
|
2025-09-04 |
|
Android Runtime Use-After-Free Vulnerability: Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation. |
|
|
|
2025-09-04 |
|
Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability: Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability. |
||
|
2025-09-03 |
|
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability: TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
||
|
2025-09-03 |
|
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability: TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
||
|
2025-09-02
|
|
Meta Platforms WhatsApp Incorrect Authorization Vulnerability: Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. |
||
|
2025-09-02 |
|
TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability: TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
||
|
2025-08-29 |
Sangoma | FreePBX |
Sangoma FreePBX Authentication Bypass Vulnerability: Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. |
||
|
2025-08-26 |
|
Citrix NetScaler Memory Overflow Vulnerability: Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service. |
||
|
2025-08-25 |
Citrix Session Recording Deserialization of Untrusted Data Vulnerability: Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server. |
|||
|
2025-08-25 |
Citrix Session Recording Improper Privilege Management Vulnerability: Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain. |
|||
|
2025-08-25 |
Git Link Following Vulnerability: Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files. |
|||
|
2025-08-21 |
Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability: Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework. |
|||
|
2025-08-18 |
Trend Micro Apex One OS Command Injection Vulnerability: Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. |
|||
|
2025-08-13 |
N-able N-Central Insecure Deserialization Vulnerability: N-able N-Central contains an insecure deserialization vulnerability that could lead to command execution. |
|
||
|
2025-08-13 |
N-able | N-Central |
N-able N-Central Command Injection Vulnerability: N-able N-Central contains a command injection vulnerability via improper sanitization of user input. |
|
|
|
2025-08-12 |
Microsoft Internet Explorer Resource Management Errors Vulnerability: Microsoft Internet Explorer contains a memory corruption vulnerability that allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|||
|
2025-08-12 |
Microsoft Office Excel Remote Code Execution Vulnerability: Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a specially crafted Excel file, which, when opened, allowing an attacker to execute remote code on the affected system. |
|
||
|
2025-08-12 |
RARLAB WinRAR Path Traversal Vulnerability: RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary code by crafting malicious archive files. |
|||
|
2025-08-05
|
D-Link DNR-322L Download of Code Without Integrity Check Vulnerability: D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|||
|
2025-08-05 |
D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability: D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|||
|
2025-08-05 |
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability: D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. |
|
||
|
2025-07-28 |
Cisco Identity Services Engine Injection Vulnerability: Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device. |
|||
|
2025-07-28 |
Cisco Identity Services Engine Injection Vulnerability: Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device. |
|||
|
2025-07-28 |
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability: PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. |
|||
|
2025-07-22 |
Microsoft | SharePoint |
Microsoft SharePoint Improper Authentication Vulnerability: Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706 |
||
|
2025-07-22 |
Microsoft | SharePoint |
Microsoft SharePoint Code Injection Vulnerability: Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. |
||
|
2025-07-22 |
CrushFTP | CrushFTP |
CrushFTP Unprotected Alternate Channel Vulnerability: CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS. |
||
|
2025-07-22 |
Google | Chromium |
Google Chromium ANGLE and GPU Improper Input Validation Vulnerability: Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. |
||
|
2025-07-22 |
SysAid | SysAid On-Prem |
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability: SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. |
||
|
2025-07-22 |
SysAid | SysAid On-Prem |
SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability: SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives. |
||
|
2025-07-20 |
Microsoft | SharePoint |
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability: Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. |
||
|
2025-07-18 |
Fortinet | FortiWeb |
Fortinet FortiWeb SQL Injection Vulnerability: Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. |
||
|
2025-08-04 |
Wing FTP Server |
Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability: Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). |
||
|
2025-07-11 |
NetScaler ADC and Gateway |
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability: Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. |
||
|
2025-07-28 |
Multi-Router Looking Glass (MRLG) |
Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability: Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption. |
||
|
2025-07-28 |
PHPMailer |
PHPMailer Command Injection Vulnerability: PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. |
|
|
|
2025-07-28 |
Ruby on Rails |
Rails Ruby on Rails Path Traversal Vulnerability: Rails Ruby on Rails contains a path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents. |
||
|
2025-07-28 |
Zimbra Collaboration Suite (ZCS) |
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component. |
||
|
2025-07-23 |
Chromium V8 |
Google Chromium V8 Type Confusion Vulnerability: Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. |
||
|
2025-07-22 |
TeleMessage |
TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability: TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI. |
||
|
2025-07-22 |
TeleMessage |
TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability: TeleMessage TM SGNL contains an exposure of core dump file to an unauthorized control sphere Vulnerability. This vulnerability is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump. |
||
|
2025-07-21 |
Citrix |
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability: Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. |
||
|
2025-07-16 |
AMI |
AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability: AMI MegaRAC SPx contains an authentication bypass by spoofing vulnerability in the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. |
||
|
2025-07-16 |
D-Link |
D-Link DIR-859 Router Path Traversal Vulnerability: D-Link DIR-859 routers contain a path traversal vulnerability in the file /hedwig.cgi of the component HTTP POST Request Handler. Manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. |
||
|
2025-07-16 |
Fortinet |
Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability: Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key. |
||
|
2025-07-08 |
Linux |
Linux Kernel Improper Ownership Management Vulnerability: Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. |
||
|
2025-07-07 |
Apple |
Apple Multiple Products Unspecified Vulnerability: Apple iOS, iPadOS, macOS, watchOS, and visionOS, contain an unspecified vulnerability when processing a maliciously crafted photo or video shared via an iCloud Link. |
||
|
2025-07-01 |
Microsoft |
Microsoft Windows External Control of File Name or Path Vulnerability: Microsoft Windows contains an external control of file name or path vulnerability that could allow an attacker to execute code from a remote WebDAV location specified by the WorkingDirectory attribute of Internet Shortcut files. |
||
|
2025-07-01 |
Wazuh |
Wazuh Server Deserialization of Untrusted Data Vulnerability: Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers. |
||
|
2025-06-30 |
Erlang |
Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability: Erlang Erlang/OTP SSH server contains a missing authentication for critical function vulnerability. This could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). |
||
|
2025-06-26 |
|
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability: Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. |
||
|
2025-06-24 |
Qualcomm |
Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability: Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
||
|
2025-06-24 |
Qualcomm |
Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability: Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands. |
||
|
2025-06-24 |
Qualcomm |
Qualcomm Multiple Chipsets Use-After-Free Vulnerability: Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome. |
||
|
2025-06-23 |
ConnectWise |
ConnectWise ScreenConnect Improper Authentication Vulnerability: ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised. |
||
|
2025-06-23 |
Craft CMS |
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability: Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432. |
||
|
2025-06-12 |
Samsung |
Samsung MagicINFO 9 Server Path Traversal Vulnerability: Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority. |
||
|
2025-06-09 |
Srimax |
Srimax Output Messenger Directory Traversal Vulnerability: Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access. |
||
|
2025-06-09 |
Ivanti |
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. |
||
|
2025-06-09 |
Ivanti |
Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework open-source library. |
||
|
2025-06-05 |
SAP |
SAP NetWeaver Deserialization Vulnerability: SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content. |
||
|
2025-06-04 |
Fortinet |
Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability: Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. |
||
|
2025-06-03 |
Microsoft |
Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability: Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally. |
||
|
2025-06-03 |
Microsoft |
Microsoft Windows DWM Core Library Use-After-Free Vulnerability: Microsoft Windows DWM Core Library contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally. |
||
|
2025-06-03 |
Microsoft |
Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability: Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally. |
||
|
2025-06-03 |
Microsoft |
Microsoft Windows Scripting Engine Type Confusion Vulnerability: Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL. |
||
|
2025-06-03 |
Microsoft |
Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability: Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator. |
||
|
2025-06-02 |
TeleMessage |
TeleMessage TM SGNL Hidden Functionality Vulnerability: TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users. |
||
|
2025-05-27 |
FreeType |
FreeType Out-of-Bounds Write Vulnerability: FreeType contains an out-of-bounds write vulnerability when attempting to parse font subglyph structures related to TrueType GX and variable font files that may allow for arbitrary code execution. |
||
|
2025-05-26 |
Langflow |
Langflow Missing Authentication Vulnerability: Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests. |
||
|
2025-05-23 |
Commvault |
Commvault Command Center Path Traversal Vulnerability: Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code. |
||
|
2025-05-23 |
Yiiframework |
Yiiframework Yii Improper Protection of Alternate Path Vulnerability: Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432. |