Total
6170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30581 | 2 Nodejs, Redhat | 3 Node.js, Enterprise Linux, Rhel Eus | 2025-11-03 | 7.5 High |
| The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js | ||||
| CVE-2025-24181 | 1 Apple | 1 Macos | 2025-11-03 | 9.8 Critical |
| A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data. | ||||
| CVE-2025-24143 | 2 Apple, Redhat | 6 Ipados, Macos, Safari and 3 more | 2025-11-03 | 6.5 Medium |
| The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user. | ||||
| CVE-2025-24116 | 1 Apple | 1 Macos | 2025-11-03 | 4.4 Medium |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to bypass Privacy preferences. | ||||
| CVE-2025-24108 | 1 Apple | 1 Macos | 2025-11-03 | 5.5 Medium |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.3. An app may be able to access protected user data. | ||||
| CVE-2025-24096 | 1 Apple | 1 Macos | 2025-11-03 | 5.5 Medium |
| This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3. A malicious app may be able to access arbitrary files. | ||||
| CVE-2025-30448 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-11-03 | 9.1 Critical |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.6, iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Ventura 13.7.6, macOS Sequoia 15.4. An attacker may be able to turn on sharing of an iCloud folder without authentication. | ||||
| CVE-2025-59461 | 1 Sick | 2 Tloc100-100, Tloc100-100 Firmware | 2025-11-03 | 7.6 High |
| A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services. | ||||
| CVE-2025-43331 | 1 Apple | 1 Macos | 2025-11-03 | 4 Medium |
| A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access protected user data. | ||||
| CVE-2025-43318 | 1 Apple | 1 Macos | 2025-11-03 | 6.2 Medium |
| This issue was addressed with additional entitlement checks. This issue is fixed in macOS Tahoe 26. An app with root privileges may be able to access private information. | ||||
| CVE-2025-11702 | 1 Gitlab | 1 Gitlab | 2025-11-03 | 8.5 High |
| GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects. | ||||
| CVE-2025-8223 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-10-31 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | ||||
| CVE-2025-62642 | 2 Rbi, Restaurant Brands International | 2 Restaurant Brands International Assistant, Assistant Platform | 2025-10-31 | 5.8 Medium |
| The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account. | ||||
| CVE-2025-64296 | 3 Facebook, Woocommerce, Wordpress | 3 Facebook For Woocommerce, Woocommerce, Wordpress | 2025-10-30 | 5.3 Medium |
| Missing Authorization vulnerability in Facebook Facebook for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through 3.5.7. | ||||
| CVE-2025-11705 | 2 Anti-malware Security And Brute-force Firewall Project, Wordpress | 2 Anti-malware Security And Brute-force Firewall, Wordpress | 2025-10-30 | 6.5 Medium |
| The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-11632 | 2 Jgrietveld, Wordpress | 2 Call Now Button, Wordpress | 2025-10-30 | 4.3 Medium |
| The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5 | ||||
| CVE-2025-10008 | 2 Remyb92, Wordpress | 2 Translate Wordpress And Go Multilingual, Wordpress | 2025-10-30 | 5.3 Medium |
| The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options. | ||||
| CVE-2025-11881 | 2 Apppresser, Wordpress | 2 Apppresser, Wordpress | 2025-10-30 | 5.3 Medium |
| The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components. | ||||
| CVE-2025-6205 | 1 3ds | 1 Delmia Apriso | 2025-10-29 | 9.1 Critical |
| A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application. | ||||
| CVE-2025-41443 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-29 | 4.3 Medium |
| Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint | ||||