Total
9517 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46669 | 1 Elastic | 2 Elastic Agent, Endpoint Security | 2025-10-01 | N/A | 6.2 MEDIUM |
| Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. | |||||
| CVE-2024-52523 | 1 Nextcloud | 1 Nextcloud Server | 2025-10-01 | N/A | 4.6 MEDIUM |
| Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2. | |||||
| CVE-2024-52508 | 1 Nextcloud | 1 Mail | 2025-10-01 | N/A | 8.2 HIGH |
| Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0. | |||||
| CVE-2024-52513 | 1 Nextcloud | 1 Nextcloud Server | 2025-10-01 | N/A | 2.6 LOW |
| Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1. | |||||
| CVE-2024-43707 | 1 Elastic | 1 Kibana | 2025-09-30 | N/A | 7.7 HIGH |
| An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. | |||||
| CVE-2022-28224 | 1 Tigera | 2 Calico, Calico Enterprise | 2025-09-30 | 5.5 MEDIUM | 5.5 MEDIUM |
| Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod. | |||||
| CVE-2024-34029 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1 and 8.1.x <= 8.1.12 fail to perform a proper authorization check in the /api/v4/groups/<group-id>/channels/<channel-id>/link endpoint which allows a user to learn the members of an AD/LDAP group that is linked to a team by adding the group to a channel, even if the user has no access to the team. | |||||
| CVE-2025-10093 | 1 Dlink | 2 Dir-852, Dir-852 Firmware | 2025-09-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was identified in D-Link DIR-852 up to 1.00CN B09. Affected by this vulnerability is the function phpcgi_main of the file /getcfg.php of the component Device Configuration Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-59535 | 1 Dnnsoftware | 1 Dotnetnuke | 2025-09-29 | N/A | 6.5 MEDIUM |
| DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0. | |||||
| CVE-2024-56136 | 1 Zulip | 1 Zulip Server | 2025-09-27 | N/A | 5.3 MEDIUM |
| Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and determine if an email address is in use by a user. Zulip Server 9.4 resolves the issue, as does the `main` branch of Zulip Server. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2024-52323 | 1 Zohocorp | 1 Manageengine Analytics Plus | 2025-09-26 | N/A | 8.1 HIGH |
| Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account. | |||||
| CVE-2025-10952 | 2025-09-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stream_handler of the file ml_logger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | |||||
| CVE-2025-59019 | 1 Typo3 | 1 Typo3 | 2025-09-26 | N/A | 4.3 MEDIUM |
| Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to disclose information from arbitrary database tables stored within the users' web mounts without having access to them. | |||||
| CVE-2025-59018 | 1 Typo3 | 1 Typo3 | 2025-09-26 | N/A | 6.5 MEDIUM |
| Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access. | |||||
| CVE-2025-46813 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 5.8 MEDIUM |
| Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse. | |||||
| CVE-2024-28242 | 1 Discourse | 1 Discourse | 2025-09-26 | N/A | 5.3 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions an attacker can learn that secret categories exist when they have backgrounds set. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should temporarily remove category backgrounds. | |||||
| CVE-2025-34185 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-09-25 | N/A | 7.5 HIGH |
| Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Remote attackers can retrieve arbitrary files from the server, exposing sensitive system information and credentials. | |||||
| CVE-2014-0778 | 1 Progea | 1 Movicon | 2025-09-24 | 4.3 MEDIUM | N/A |
| TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While this is a minor vulnerability, it represents a method for further network reconnaissance. | |||||
| CVE-2025-54376 | 1 Hoverfly | 1 Hoverfly | 2025-09-24 | N/A | 7.5 HIGH |
| Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and/or gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Version 1.12.0 contains a fix for the issue. | |||||
| CVE-2025-50708 | 2025-09-23 | N/A | 7.5 HIGH | ||
| An issue in Perplexity AI GPT-4 v.2.51.0 allows a remote attacker to obtain sensitive information via the token component in the shared chat URL | |||||