Total
3990 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42038 | 1 Huawei | 2 Emui, Harmonyos | 2025-09-18 | 8.8 High |
| Vulnerability of PIN enhancement failures in the screen lock module Impact: Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability. | ||||
| CVE-2025-55241 | 1 Microsoft | 1 Entra Id | 2025-09-18 | 9 Critical |
| Azure Entra Elevation of Privilege Vulnerability | ||||
| CVE-2025-53793 | 1 Microsoft | 1 Azure Stack Hub | 2025-09-17 | 7.5 High |
| Improper authentication in Azure Stack allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2025-53778 | 1 Microsoft | 21 Windows, Windows 10, Windows 10 1507 and 18 more | 2025-09-17 | 8.8 High |
| Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-53786 | 1 Microsoft | 2 Exchange, Exchange Server | 2025-09-17 | 8 High |
| On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. | ||||
| CVE-2025-34186 | 1 Ilevia | 2 Eve X1 Server, Eve X5 Server | 2025-09-17 | N/A |
| Ilevia EVE X1/X5 Server version ≤ 4.7.18.0.eden contains a vulnerability in its authentication mechanism. Unsanitized input is passed to a system() call for authentication, allowing attackers to inject special characters and manipulate command parsing. Due to the binary's interpretation of non-zero exit codes as successful authentication, remote attackers can bypass authentication and gain full access to the system. | ||||
| CVE-2025-31271 | 1 Apple | 1 Macos | 2025-09-17 | 7.5 High |
| This issue was addressed through improved state management. This issue is fixed in macOS Tahoe 26. Incoming FaceTime calls can appear or be accepted on a locked macOS device, even with notifications disabled on the lock screen. | ||||
| CVE-2025-55234 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-09-16 | 8.8 High |
| SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA. Adopt appropriate SMB Server hardening measures. | ||||
| CVE-2025-54918 | 1 Microsoft | 5 Windows, Windows 10, Windows 11 and 2 more | 2025-09-16 | 8.8 High |
| Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-10423 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-09-15 | 3.7 Low |
| A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used. | ||||
| CVE-2025-45583 | 1 Audi | 1 Universal Traffic Recorder | 2025-09-15 | 9.1 Critical |
| Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password. | ||||
| CVE-2025-58065 | 1 Dpgaspar | 1 Flask-appbuilder | 2025-09-15 | 6.5 Medium |
| Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts. | ||||
| CVE-2025-58060 | 3 Linux, Openprinting, Redhat | 3 Linux, Cups, Enterprise Linux | 2025-09-15 | 8 High |
| OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue. | ||||
| CVE-2025-10288 | 1 Roncoo | 1 Roncoo-pay | 2025-09-15 | 5.3 Medium |
| A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The impacted element is an unknown function of the file /user/info/list. Performing manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10365 | 1 Evertz | 1 3080ipx | 2025-09-15 | N/A |
| The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management interface on port 80. This web management interface can be used by administrators to control product features, setup network switching, and register license among other features. The application has been developed in PHP with the webEASY SDK, also named ‘ewb’ by Evertz. This web interface has two endpoints that are vulnerable to arbitrary command injection (CVE-2025-4009, CVE-2025-10364) and the authentication mechanism has a flaw leading to authentication bypass (CVE-2025-10365). Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices. This level of access could lead to serious business impact such as the interruption of media streaming, modification of media being streamed, alteration of closed captions being generated, among others. | ||||
| CVE-2019-11272 | 3 Debian, Redhat, Vmware | 3 Debian Linux, Jboss Fuse, Spring Security | 2025-09-12 | 7.3 High |
| Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | ||||
| CVE-2025-8348 | 1 Kehua | 1 Charging Pile Cloud Platform | 2025-09-12 | 7.3 High |
| A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-49831 | 1 Cyberark | 1 Conjur | 2025-09-12 | 9.8 Critical |
| An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker’s control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | ||||
| CVE-2025-10224 | 2 Axxonsoft, Microsoft | 2 Axxon One, Windows | 2025-09-12 | 5.4 Medium |
| Improper Authentication (CWE-287) in the LDAP authentication engine in AxxonSoft Axxon One 2.0.2 and earlier on Windows allows a remote authenticated user to be denied access or misassigned roles via incorrect evaluation of nested LDAP group memberships during login. | ||||
| CVE-2025-50901 | 1 Jeewms | 1 Jeewms | 2025-09-11 | 9.8 Critical |
| JeeWMS 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19) contains incorrect authentication bypass vulnerability, which can lead to arbitrary file reading. | ||||