Total
9880 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7394 | 1 Wolfssl | 1 Wolfssl | 2025-12-03 | 9.8 Critical |
| In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report. | ||||
| CVE-2025-12559 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-03 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | ||||
| CVE-2025-13765 | 1 Devolutions | 1 Devolutions Server | 2025-12-03 | 4.3 Medium |
| Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9. | ||||
| CVE-2025-13758 | 1 Devolutions | 1 Devolutions Server | 2025-12-03 | 3.5 Low |
| Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8. | ||||
| CVE-2025-13696 | 2 Softdiscover, Wordpress | 2 Zigaform, Wordpress | 2025-12-03 | 5.3 Medium |
| The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values. | ||||
| CVE-2025-52669 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-02 | N/A |
| Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system. | ||||
| CVE-2025-2879 | 1 Arm | 3 5th Gen Gpu Architecture Kernel Driver, Arm 5th Gen Gpu Architecture Kernel Driver, Valhall Gpu Kernel Driver | 2025-12-02 | 5.1 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to expose sensitive data.This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0. | ||||
| CVE-2025-59454 | 1 Apache | 1 Cloudstack | 2025-12-02 | 4.3 Medium |
| In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. | ||||
| CVE-2025-13653 | 1 Search-guard | 1 Search Guard | 2025-12-02 | 4.3 Medium |
| In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges. | ||||
| CVE-2025-64312 | 1 Huawei | 1 Harmonyos | 2025-12-02 | 4.9 Medium |
| Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-64311 | 1 Huawei | 1 Harmonyos | 2025-12-02 | 5.1 Medium |
| Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2025-43360 | 1 Apple | 4 Ios, Ipad Os, Ipados and 1 more | 2025-12-01 | 5.5 Medium |
| The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed. | ||||
| CVE-2025-13804 | 1 Nutzam | 1 Nutzboot | 2025-12-01 | 4.3 Medium |
| A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-65278 | 1 Grocerymart Project | 1 Grocerymart | 2025-12-01 | 7.5 High |
| An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | ||||
| CVE-2025-13683 | 2 Devolutions, Microsoft | 3 Devolutions Server, Remote Desktop Manager, Windows | 2025-12-01 | 6.5 Medium |
| Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0. | ||||
| CVE-2025-11794 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-01 | 4.9 Medium |
| Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint | ||||
| CVE-2025-58305 | 1 Huawei | 1 Harmonyos | 2025-11-28 | 6.2 Medium |
| Identity authentication bypass vulnerability in the Gallery app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2018-11802 | 1 Apache | 1 Solr | 2025-11-28 | 4.3 Medium |
| In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | ||||
| CVE-2023-30804 | 1 Sangfor | 1 Next-gen Application Firewall | 2025-11-28 | 4.9 Medium |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authenticated file disclosure vulnerability. A remote and authenticated attacker can read arbitrary system files using the svpn_html/loadfile.php endpoint. This issue is exploitable by a remote and unauthenticated attacker when paired with CVE-2023-30803. | ||||
| CVE-2025-34185 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-11-28 | 7.5 High |
| Ilevia EVE X1 Server version ≤ 4.7.18.0.eden contains a pre-authentication file disclosure vulnerability via the 'db_log' POST parameter. Remote attackers can retrieve arbitrary files from the server, exposing sensitive system information and credentials. | ||||