Total
4017 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-52210 | 2025-12-23 | N/A | 5.3 MEDIUM | ||
| Vulnerability in Tyche softwares Product Delivery Date for WooCommerce – Lite.This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through 2.7.0. | |||||
| CVE-2025-13427 | 2025-12-19 | N/A | N/A | ||
| An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability to trigger their intents, by manipulating initialization parameters or crafting specific API requests. All versions after August 20th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | |||||
| CVE-2025-14746 | 1 Shenzhenningyuandatechnology | 2 Tc155, Tc155 Firmware | 2025-12-18 | 3.3 LOW | 4.3 MEDIUM |
| A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-67791 | 1 Drivelock | 1 Drivelock | 2025-12-18 | N/A | 9.8 CRITICAL |
| An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service). | |||||
| CVE-2025-14097 | 2025-12-18 | N/A | 7.2 HIGH | ||
| A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. Exploitation requires that a remote connection is established with additional information obtained through other means. The issue is caused by a weakness in the analyzer’s application software. Other related CVE's are CVE-2025-14095 & CVE-2025-14096. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required Configuration for Exposure: Affected application software version is in use and remote support feature is enabled in the analyzer. Temporary work Around: If the network is not considered secure, please remove the analyzer from the network. Permanent solution: Customers should ensure the following: • The network is secure, and access follows best practices. Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided working proof-of-concept (PoC). Radiometer is not aware of any publicly available exploits at the time of this publication. | |||||
| CVE-2025-44005 | 2025-12-18 | N/A | 10.0 CRITICAL | ||
| An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | |||||
| CVE-2021-22893 | 1 Ivanti | 1 Connect Secure | 2025-12-18 | 7.5 HIGH | 10.0 CRITICAL |
| Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild. | |||||
| CVE-2025-37731 | 1 Elastic | 1 Elasticsearch | 2025-12-18 | N/A | 6.8 MEDIUM |
| Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. | |||||
| CVE-2025-65781 | 1 Wekan Project | 1 Wekan | 2025-12-18 | N/A | 8.2 HIGH |
| An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing. | |||||
| CVE-2025-14002 | 2025-12-16 | N/A | 8.1 HIGH | ||
| The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP. | |||||
| CVE-2025-0890 | 1 Zyxel | 28 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 25 more | 2025-12-15 | N/A | 9.8 CRITICAL |
| **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. | |||||
| CVE-2025-67507 | 2025-12-12 | N/A | 8.1 HIGH | ||
| Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1. | |||||
| CVE-2025-52856 | 1 Qnap | 1 Qvr | 2025-12-10 | N/A | 9.8 CRITICAL |
| An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later | |||||
| CVE-2025-54154 | 1 Qnap | 1 Authenticator | 2025-12-10 | N/A | 6.8 MEDIUM |
| An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later | |||||
| CVE-2024-29837 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 8.8 HIGH |
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in. | |||||
| CVE-2025-66515 | 1 Nextcloud | 1 Approval | 2025-12-09 | N/A | 2.7 LOW |
| The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | |||||
| CVE-2022-29883 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2025-12-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been identified in SICAM T (All versions < V3.0). Affected devices do not restrict unauthenticated access to certain pages of the web interface. This could allow an attacker to delete log files without authentication. | |||||
| CVE-2025-12374 | 2025-12-08 | N/A | 9.8 CRITICAL | ||
| The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. | |||||
| CVE-2023-47222 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-05 | N/A | 9.6 CRITICAL |
| An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later | |||||
| CVE-2024-2873 | 1 Wolfssh | 1 Wolfssh | 2025-12-05 | N/A | 9.1 CRITICAL |
| A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access. | |||||