Total
4051 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14746 | 2025-12-16 | 4.3 Medium | ||
| A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14703 | 1 Shiguangwu | 1 Sgwbox N3 | 2025-12-15 | 5.3 Medium |
| A vulnerability has been found in Shiguangwu sgwbox N3 2.0.25. The affected element is an unknown function of the file /fsnotify of the component POST Message Handler. The manipulation of the argument token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-37731 | 1 Elastic | 1 Elasticsearch | 2025-12-15 | 6.8 Medium |
| Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. | ||||
| CVE-2025-14567 | 1 Stock Management System Project | 1 Stock Management System | 2025-12-14 | 5.3 Medium |
| A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-66039 | 1 Freepbx | 1 Endpoint Manager | 2025-12-12 | N/A |
| FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23. | ||||
| CVE-2025-59280 | 1 Microsoft | 28 Windows, Windows 10, Windows 10 1507 and 25 more | 2025-12-11 | 3.1 Low |
| Improper authentication in Windows SMB Client allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2025-55340 | 1 Microsoft | 21 Remote Desktop Protocol, Windows, Windows 10 and 18 more | 2025-12-11 | 7 High |
| Improper authentication in Windows Remote Desktop Protocol allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2025-52856 | 1 Qnap | 1 Qvr | 2025-12-10 | 9.8 Critical |
| An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later | ||||
| CVE-2025-54154 | 1 Qnap | 1 Authenticator | 2025-12-10 | 6.8 Medium |
| An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later | ||||
| CVE-2025-64055 | 2 Fanvil, Tenda | 3 X210 V2, X210, X210 Firmware | 2025-12-10 | 9.8 Critical |
| An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. | ||||
| CVE-2025-67507 | 1 Filamentphp | 1 Filament | 2025-12-10 | 8.1 High |
| Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1. | ||||
| CVE-2024-29837 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | 8.8 High |
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in. | ||||
| CVE-2024-38099 | 1 Microsoft | 9 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 6 more | 2025-12-09 | 5.9 Medium |
| Windows Remote Desktop Licensing Service Denial of Service Vulnerability | ||||
| CVE-2025-66515 | 1 Nextcloud | 1 Approval | 2025-12-09 | 2.7 Low |
| The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | ||||
| CVE-2022-29883 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2025-12-09 | 5.3 Medium |
| A vulnerability has been identified in SICAM T (All versions < V3.0). Affected devices do not restrict unauthenticated access to certain pages of the web interface. This could allow an attacker to delete log files without authentication. | ||||
| CVE-2025-12374 | 2 Pickplugins, Wordpress | 2 User Verification, Wordpress | 2025-12-08 | 9.8 Critical |
| The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. | ||||
| CVE-2025-52572 | 1 Hikariatama | 1 Hikka | 2025-12-08 | 10 Critical |
| Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed. | ||||
| CVE-2023-47222 | 1 Qnap | 1 Media Streaming Add-on | 2025-12-05 | 9.6 Critical |
| An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later | ||||
| CVE-2024-2873 | 1 Wolfssh | 1 Wolfssh | 2025-12-05 | 9.1 Critical |
| A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access. | ||||
| CVE-2025-11625 | 1 Wolfssh | 1 Wolfssh | 2025-12-04 | 9.8 Critical |
| Improper host authentication vulnerability in wolfSSH version 1.4.20 and earlier clients that allows authentication bypass and leaking of clients credentials. | ||||