Export limit exceeded: 351281 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1916 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-22948 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-10-31 | 6.5 Medium |
| The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information. | ||||
| CVE-2024-6605 | 1 Mozilla | 1 Firefox | 2025-10-30 | 8.8 High |
| Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128. | ||||
| CVE-2024-42188 | 1 Hcltech | 1 Connections | 2025-10-28 | 3.7 Low |
| HCL Connections is vulnerable to a broken access control vulnerability that may allow an unauthorized user to update data in certain scenarios. | ||||
| CVE-2021-3493 | 1 Canonical | 1 Ubuntu Linux | 2025-10-28 | 8.8 High |
| The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges. | ||||
| CVE-2025-56019 | 1 Agasta | 3 Easy Touch Plus, Easy Touch Plus Firmware, Easytouch+ | 2025-10-27 | 6.5 Medium |
| An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location. | ||||
| CVE-2019-11708 | 2 Mozilla, Redhat | 3 Firefox, Thunderbird, Enterprise Linux | 2025-10-27 | 10.0 Critical |
| Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2. | ||||
| CVE-2025-31332 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2025-10-24 | 6.6 Medium |
| Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability. However, this vulnerability does not disclose any sensitive data. | ||||
| CVE-2024-23897 | 2 Jenkins, Redhat | 2 Jenkins, Ocp Tools | 2025-10-24 | 9.8 Critical |
| Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2025-35062 | 1 Newforma | 2 Project Center, Project Center Server | 2025-10-22 | 5.3 Medium |
| Newforma Info Exchange (NIX) before version 2023.1 by default allows anonymous authentication which allows an unauthenticated attacker to exploit additional vulnerabilities that require authentication. | ||||
| CVE-2025-36632 | 2 Microsoft, Tenable | 2 Windows, Nessus Agent | 2025-10-21 | 7.8 High |
| In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege. | ||||
| CVE-2025-62175 | 1 Joinmastodon | 1 Mastodon | 2025-10-21 | 4.3 Medium |
| Mastodon is a free, open-source social network server based on ActivityPub. In versions before 4.4.6, 4.3.14, and 4.2.27, disabling or suspending a user account does not disconnect the account from the streaming API. This allows disabled or suspended accounts to continue receiving real-time updates through existing streaming connections and to establish new streaming connections, even though they cannot interact with other API endpoints. This undermines moderation actions, as administrators expect disabled or suspended accounts to be fully disconnected from the service. This issue has been patched in versions 4.4.6, 4.3.14, and 4.2.27. No known workarounds exist. | ||||
| CVE-2025-58288 | 1 Huawei | 1 Harmonyos | 2025-10-20 | 5.5 Medium |
| Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2025-58292 | 1 Huawei | 1 Harmonyos | 2025-10-20 | 3.3 Low |
| Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2025-58287 | 1 Huawei | 1 Harmonyos | 2025-10-20 | 7.8 High |
| Use After Free (UAF) vulnerability in the office service. Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-58437 | 1 Coder | 1 Coder | 2025-10-17 | 8.1 High |
| Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new session token is generated for the user that claimed the workspace, but the previous session token for the prebuilds user was not expired. Any Coder workspace templates that persist this automatically generated session token are potentially impacted. This is fixed in versions 2.24.4 and 2.25.2. | ||||
| CVE-2025-54086 | 1 Absolute | 1 Secure Access | 2025-10-16 | 3.3 Low |
| CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attack complexity is low, there are no attack requirements, the privileges required are low and no user interaction is required. Impact to confidentiality is low, there is no impact to integrity or availability. | ||||
| CVE-2025-46014 | 1 Honor | 1 Pc Manager | 2025-10-15 | 8.8 High |
| Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 was discovered to connect services to the named pipe iMateBookAssistant with default or overly permissive security attributes, leading to a privilege escalation. | ||||
| CVE-2025-29504 | 1 Huang-yk | 1 Student-manage | 2025-10-15 | 7.8 High |
| Insecure Permission vulnerability in student-manage 1 allows a local attacker to escalate privileges via the Unsafe permission verification. | ||||
| CVE-2024-36538 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 8.8 High |
| Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
| CVE-2025-0797 | 1 Escanav | 1 Escan Anti-virus | 2025-10-09 | 3.3 Low |
| A vulnerability was found in MicroWorld eScan Antivirus 7.0.32 on Linux. It has been declared as problematic. This vulnerability affects unknown code of the file /var/Microworld/ of the component Quarantine Handler. The manipulation leads to incorrect default permissions. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||