Total
34460 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14198 | 1 Verysync | 1 Verysync | 2025-12-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-12558 | 1 Fastlinemedia | 1 Beaver Builder | 2025-12-11 | N/A | 4.3 MEDIUM |
| The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments. | |||||
| CVE-2025-14286 | 1 Tenda | 1 Ac9 Firmware | 2025-12-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-63721 | 1 Hummerrisk | 1 Hummerrisk | 2025-12-11 | N/A | 8.8 HIGH |
| HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | |||||
| CVE-2025-48594 | 1 Google | 1 Android | 2025-12-11 | N/A | 7.3 HIGH |
| In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-43376 | 1 Apple | 5 Ipados, Iphone Os, Safari and 2 more | 2025-12-10 | N/A | 7.5 HIGH |
| A logic issue was addressed with improved state management. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on. | |||||
| CVE-2025-14323 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-12-10 | N/A | 8.8 HIGH |
| Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | |||||
| CVE-2025-14328 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-12-10 | N/A | 8.8 HIGH |
| Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | |||||
| CVE-2025-14329 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-12-10 | N/A | 8.8 HIGH |
| Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | |||||
| CVE-2024-0353 | 1 Eset | 9 Endpoint Antivirus, Endpoint Security, File Security and 6 more | 2025-12-10 | N/A | 7.8 HIGH |
| Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission. | |||||
| CVE-2025-48589 | 1 Google | 1 Android | 2025-12-10 | N/A | 7.8 HIGH |
| In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48583 | 1 Google | 1 Android | 2025-12-10 | N/A | 7.8 HIGH |
| In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-48580 | 1 Google | 1 Android | 2025-12-10 | N/A | 7.8 HIGH |
| In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-62570 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025 | 2025-12-10 | N/A | 7.1 HIGH |
| Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-0514 | 1 Libreoffice | 1 Libreoffice | 2025-12-10 | N/A | 7.8 HIGH |
| Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5. | |||||
| CVE-2025-62571 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2025-12-10 | N/A | 7.8 HIGH |
| Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-64670 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 23h2 and 5 more | 2025-12-10 | N/A | 6.5 MEDIUM |
| Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. | |||||
| CVE-2025-64673 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-12-10 | N/A | 7.8 HIGH |
| Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-1080 | 2 Debian, Libreoffice | 2 Debian Linux, Libreoffice | 2025-12-10 | N/A | 7.8 HIGH |
| LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1. | |||||
| CVE-2024-23301 | 4 Fedoraproject, Redhat, Relax-and-recover and 1 more | 4 Fedora, Enterprise Linux, Relax-and-recover and 1 more | 2025-12-10 | N/A | 5.5 MEDIUM |
| Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. | |||||