Total
1471 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7587 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2026-01-09 | N/A | 7.8 HIGH |
| Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric GENESIS32 versions 9.70.300.23 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS32 versions 9.70.300.23 and prior, and Mitsubishi Electric MC Works64 all versions allows a local authenticated attacker to disclose or tamper with confidential information and data contained in the products, or cause a denial of service (DoS) condition on the products, by accessing a folder with incorrect permissions, when GenBroker32 is installed on the same PC as GENESIS64, ICONICS Suite, MC Works64, or GENESIS32. | |||||
| CVE-2024-31442 | 1 Redon | 1 Roblox Purchasing Hub | 2026-01-07 | N/A | 8.8 HIGH |
| Redon Hub is a Roblox Product Delivery Bot, also known as a Hub. In all hubs before version 1.0.2, all commands are capable of being ran by all users, including admin commands. This allows users to receive products for free and delete/create/update products/tags/etc. The only non-affected command is `/products admin clear` as this was already programmed for bot owners only. All users should upgrade to version 1.0.2 to receive a patch. | |||||
| CVE-2025-53398 | 1 Portrait | 1 Dell Color Management | 2026-01-02 | N/A | 7.8 HIGH |
| The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions, | |||||
| CVE-2025-53919 | 1 Portrait | 1 Dell Color Management | 2026-01-02 | N/A | 7.8 HIGH |
| An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during installation and uninstallation. A low-privileged attacker with local access could potentially exploit this, leading to elevation of privileges. | |||||
| CVE-2025-49144 | 2025-12-24 | N/A | 7.3 HIGH | ||
| Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2. | |||||
| CVE-2025-43519 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 5.5 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to access sensitive user data. | |||||
| CVE-2025-43507 | 1 Apple | 4 Ipados, Iphone Os, Visionos and 1 more | 2025-12-17 | N/A | 6.5 MEDIUM |
| A privacy issue was addressed by moving sensitive data. This issue is fixed in watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. An app may be able to fingerprint the user. | |||||
| CVE-2025-43444 | 1 Apple | 5 Ipados, Iphone Os, Tvos and 2 more | 2025-12-17 | N/A | 5.3 MEDIUM |
| A permissions issue was addressed with additional restrictions. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. An app may be able to fingerprint the user. | |||||
| CVE-2025-43442 | 1 Apple | 2 Ipados, Iphone Os | 2025-12-17 | N/A | 3.3 LOW |
| A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to identify what other apps a user has installed. | |||||
| CVE-2025-13155 | 2025-12-12 | N/A | 7.8 HIGH | ||
| An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges. | |||||
| CVE-2025-34332 | 1 Audiocodes | 2 Fax Server, Interactive Voice Response | 2025-12-11 | N/A | 7.8 HIGH |
| AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services. When certain service actions are requested through ajaxPost.php, these scripts are invoked by PHP using system() under the NT AUTHORITY\\SYSTEM account. The batch files in this directory are writable by any authenticated local user due to overly permissive ACLs, allowing them to replace script contents with arbitrary commands. On the next service start/stop operation, the modified script is executed as SYSTEM, enabling elevation of local privileges. | |||||
| CVE-2025-34333 | 1 Audiocodes | 2 Fax Server, Interactive Voice Response | 2025-12-11 | N/A | 7.8 HIGH |
| AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Authenticated local users have modify rights on this directory, while the associated web server process runs as NT AUTHORITY\\SYSTEM. As a result, any local user can create or alter server-side scripts within the webroot and then trigger them via HTTP requests, causing arbitrary code to execute with SYSTEM privileges. | |||||
| CVE-2025-36857 | 1 Rapid7 | 1 Appspider Pro | 2025-12-11 | N/A | 3.3 LOW |
| Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management. This vulnerability was remediated in version 7.5.021 of the product. | |||||
| CVE-2024-23301 | 4 Fedoraproject, Redhat, Relax-and-recover and 1 more | 4 Fedora, Enterprise Linux, Relax-and-recover and 1 more | 2025-12-10 | N/A | 5.5 MEDIUM |
| Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. | |||||
| CVE-2025-61229 | 1 Shirt-pocket | 1 Superduper\! | 2025-12-08 | N/A | 7.8 HIGH |
| An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | |||||
| CVE-2024-28862 | 1 Rotp Project | 1 Rotp | 2025-12-05 | N/A | 5.3 MEDIUM |
| The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation. | |||||
| CVE-2025-58097 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-05 | N/A | 7.8 HIGH |
| The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege. | |||||
| CVE-2025-54866 | 1 Wazuh | 1 Wazuh | 2025-12-02 | N/A | 5.5 MEDIUM |
| Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0. | |||||
| CVE-2025-59485 | 2025-11-25 | N/A | 3.3 LOW | ||
| Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Windows client is installed. If the file is a specially crafted DLL file, arbitrary code could be executed with SYSTEM privilege. | |||||
| CVE-2017-7761 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2025-11-25 | 3.6 LOW | 5.5 MEDIUM |
| The Mozilla Maintenance Service "helper.exe" application creates a temporary directory writable by non-privileged users. When this is combined with creation of a junction (a form of symbolic link), protected files in the target directory of the junction can be deleted by the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. | |||||