Total
4017 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10684 | 2026-01-09 | N/A | 4.3 MEDIUM | ||
| The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . | |||||
| CVE-2025-64423 | 1 Coollabs | 1 Coolify | 2026-01-09 | N/A | 8.8 HIGH |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available. | |||||
| CVE-2026-0589 | 1 Fabian | 1 Online Product Reservation System | 2026-01-09 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | |||||
| CVE-2025-14703 | 1 Sgwbox | 2 N3, N3 Firmware | 2026-01-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been found in Shiguangwu sgwbox N3 2.0.25. The affected element is an unknown function of the file /fsnotify of the component POST Message Handler. The manipulation of the argument token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-64055 | 1 Fanvil | 2 X210, X210 Firmware | 2026-01-09 | N/A | 9.8 CRITICAL |
| An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. | |||||
| CVE-2025-15099 | 1 Sim | 1 Sim | 2026-01-08 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue. | |||||
| CVE-2025-6083 | 1 Extremenetworks | 1 Extremecloud Universal Ztna | 2026-01-08 | N/A | 4.3 MEDIUM |
| In ExtremeCloud Universal ZTNA, a syntax error in the 'searchKeyword' condition caused queries to bypass the owner_id filter. This issue may allow users to search data across the entire table instead of being restricted to their specific owner_id. | |||||
| CVE-2025-15346 | 2026-01-08 | N/A | N/A | ||
| A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. | |||||
| CVE-2025-56333 | 1 Pangolin | 1 Pangolin | 2026-01-07 | N/A | 9.8 CRITICAL |
| An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component | |||||
| CVE-2025-59704 | 1 Entrust | 10 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc Base and 7 more | 2026-01-06 | N/A | 4.6 MEDIUM |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password. | |||||
| CVE-2024-24554 | 1 Bludit | 1 Bludit | 2026-01-02 | N/A | 8.2 HIGH |
| Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API. | |||||
| CVE-2025-66022 | 1 Owasp | 1 Faction | 2026-01-02 | N/A | 9.6 CRITICAL |
| FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | |||||
| CVE-2025-14908 | 1 Jeecg | 1 Jeecg Boot | 2025-12-30 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The patch is named e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2/67795493bdc579e489d3ab12e52a1793c4f8a0ee. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-9803 | 1 Lunary | 1 Lunary | 2025-12-30 | N/A | 8.8 HIGH |
| lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35. | |||||
| CVE-2025-61922 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 9.1 CRITICAL |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-15135 | 2025-12-29 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-15097 | 2025-12-29 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended. | |||||
| CVE-2025-66174 | 1 Hikvision | 4 Ds-7104hghi-f1, Ds-7104hghi-f1 Firmware, Ds-7204hghi-f1 and 1 more | 2025-12-23 | N/A | 6.5 MEDIUM |
| There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands. | |||||
| CVE-2025-65431 | 1 Allauth | 1 Allauth | 2025-12-23 | N/A | 5.4 MEDIUM |
| An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead. | |||||
| CVE-2025-14567 | 1 Haxxorsid | 1 Stock-management-system | 2025-12-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | |||||