Total
148 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14490 | 1 Superantispyware | 1 Superantispyware | 2026-01-20 | N/A | 7.8 HIGH |
| RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659. | |||||
| CVE-2025-9611 | 2026-01-08 | N/A | N/A | ||
| Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. | |||||
| CVE-2025-68697 | 1 N8n | 1 N8n | 2025-12-31 | N/A | 7.1 HIGH |
| n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted. | |||||
| CVE-2024-32764 | 1 Qnap | 1 Myqnapcloud Link | 2025-12-10 | N/A | 9.9 CRITICAL |
| A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later | |||||
| CVE-2025-61907 | 1 Icinga | 1 Icinga | 2025-11-26 | N/A | 6.5 MEDIUM |
| Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13. | |||||
| CVE-2025-59403 | 1 Flocksafety | 1 Flock Safety | 2025-11-24 | N/A | 9.8 CRITICAL |
| The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access. | |||||
| CVE-2025-3698 | 1 Tecno | 1 Carlcare | 2025-11-13 | N/A | 7.5 HIGH |
| Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information leakage risk. | |||||
| CVE-2018-19322 | 1 Gigabyte | 4 Aorus Graphics Engine, App Center, Oc Guru Ii and 1 more | 2025-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges. | |||||
| CVE-2025-53964 | 1 Goldendict | 1 Goldendict | 2025-11-06 | N/A | 9.6 CRITICAL |
| GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary. | |||||
| CVE-2025-47353 | 1 Qualcomm | 36 Qam8255p, Qam8255p Firmware, Qam8650p and 33 more | 2025-11-05 | N/A | 7.8 HIGH |
| Memory corruption while processing request sent from GVM. | |||||
| CVE-2014-5415 | 1 Beckhoff | 2 Embedded Pc Images, Twincat | 2025-11-05 | 9.4 HIGH | 9.1 CRITICAL |
| Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service. | |||||
| CVE-2023-49074 | 1 Tp-link | 2 Eap225, Eap225 Firmware | 2025-11-04 | N/A | 7.4 HIGH |
| A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | |||||
| CVE-2025-48415 | 2025-11-03 | N/A | 6.2 MEDIUM | ||
| A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted "salia.ini" files. The .ini file can contain several "commands" that could be exploited by an attacker to export or modify the device configuration, enable an SSH backdoor or perform other administrative actions. Ultimately, this backdoor also allows arbitrary execution of OS commands. | |||||
| CVE-2010-1428 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. | |||||
| CVE-2010-0738 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-10-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. | |||||
| CVE-2006-1547 | 1 Apache | 2 Commons Beanutils, Struts | 2025-10-22 | 7.8 HIGH | 7.5 HIGH |
| ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. | |||||
| CVE-2024-43065 | 1 Qualcomm | 328 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 325 more | 2025-10-06 | N/A | 7.1 HIGH |
| Cryptographic issues while generating an asymmetric key pair for RKP use cases. | |||||
| CVE-2025-30359 | 1 Webpack.js | 1 Webpack-dev-server | 2025-10-03 | N/A | 5.3 MEDIUM |
| webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. Version 5.2.1 contains a patch for the issue. | |||||
| CVE-2025-5823 | 1 Autel | 18 Maxicharger Ac Elite Business C50, Maxicharger Ac Elite Business C50 Firmware, Maxicharger Ac Pro and 15 more | 2025-09-10 | N/A | 6.5 MEDIUM |
| Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26351. | |||||
| CVE-2024-55945 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 4.3 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to `lax` or `none`. The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this issue. | |||||