Total
3293 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39009 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-03 | N/A | 9.8 CRITICAL |
| The WLAN module has a vulnerability in permission verification. Successful exploitation of this vulnerability may cause third-party apps to affect WLAN functions. | |||||
| CVE-2023-49262 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | N/A | 9.8 CRITICAL |
| The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session. | |||||
| CVE-2023-50919 | 1 Gl-inet | 24 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 21 more | 2025-06-03 | N/A | 9.8 CRITICAL |
| An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | |||||
| CVE-2023-46942 | 1 Evershop | 1 Evershop | 2025-06-03 | N/A | 7.5 HIGH |
| Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. | |||||
| CVE-2025-5149 | 1 Wcms | 1 Wcms | 2025-06-03 | N/A | 8.1 HIGH |
| A vulnerability was found in WCMS up to 8.3.11. It has been declared as critical. Affected by this vulnerability is the function getMemberByUid of the file /index.php?articleadmin/getallcon of the component Login. The manipulation of the argument uid leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5437 | 2025-06-02 | N/A | 5.3 MEDIUM | ||
| A vulnerability classified as critical has been found in Multilaser Sirius RE016 MLT1.0. Affected is an unknown function of the file /cgi-bin/cstecgi.cgi of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-34908 | 1 Aremis | 1 Aremis 4 Nomads | 2025-05-30 | N/A | 7.5 HIGH |
| An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or cookie in a request. Therefore, an attacker may send a simple HTTP request to the right endpoint, and obtain authorization to retrieve application data. | |||||
| CVE-2022-28321 | 2 Linux-pam, Opensuse | 2 Linux-pam, Tumbleweed | 2025-05-29 | N/A | 9.8 CRITICAL |
| The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream. | |||||
| CVE-2025-0605 | 1 Gitlab | 1 Gitlab | 2025-05-29 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements. | |||||
| CVE-2023-51982 | 1 Cratedb | 1 Cratedb | 2025-05-29 | N/A | 9.8 CRITICAL |
| CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231) | |||||
| CVE-2022-23126 | 1 Teslamate | 1 Teslamate | 2025-05-28 | 7.5 HIGH | 9.8 CRITICAL |
| TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route. This occurs because an attacker can leverage Grafana login access to obtain a token for Tesla API calls. | |||||
| CVE-2025-48370 | 2025-05-27 | N/A | N/A | ||
| auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1. | |||||
| CVE-2022-30550 | 2 Debian, Dovecot | 2 Debian Linux, Dovecot | 2025-05-23 | N/A | 8.8 HIGH |
| An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. | |||||
| CVE-2020-25183 | 1 Medtronic | 2 Mycarelink Smart Model 25000, Mycarelink Smart Model 25000 Firmware | 2025-05-22 | 5.8 MEDIUM | 8.8 HIGH |
| Medtronic MyCareLink Smart 25000 contains an authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication. | |||||
| CVE-2022-30124 | 1 Rocket.chat | 1 Rocket.chat | 2025-05-22 | N/A | 6.8 MEDIUM |
| An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code). | |||||
| CVE-2018-14781 | 1 Medtronicdiabetes | 18 508 Minimed Insulin Pump, 508 Minimed Insulin Pump Firmware, 522 Paradigm Real-time and 15 more | 2025-05-22 | 2.9 LOW | 5.3 MEDIUM |
| Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller and the pump and replay them to cause an insulin (bolus) delivery. | |||||
| CVE-2025-1104 | 1 Dlink | 2 Dhp-w310av, Dhp-w310av Firmware | 2025-05-21 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in D-Link DHP-W310AV 1.04 and classified as critical. This vulnerability affects unknown code. The manipulation leads to authentication bypass by spoofing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-26475 | 1 Dell | 1 Secure Connect Gateway | 2025-05-20 | N/A | 5.5 MEDIUM |
| Dell Secure Connect Gateway (SCG) 5.0 Appliance - SRS, version(s) 5.26, Enables Live-Restore setting which enhances security by keeping containers running during daemon restarts, reducing attack exposure, preventing accidental misconfigurations, and ensuring security controls remain active. | |||||
| CVE-2025-26685 | 1 Microsoft | 1 Defender For Identity | 2025-05-19 | N/A | 6.5 MEDIUM |
| Improper authentication in Microsoft Defender for Identity allows an unauthorized attacker to perform spoofing over an adjacent network. | |||||
| CVE-2025-47790 | 2025-05-16 | N/A | N/A | ||
| Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions. | |||||