Total
755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5261 | 2025-08-20 | N/A | 7.5 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazilim Çözümleri A.S. Pik Online allows Exploitation of Trusted Identifiers.This issue affects Pik Online: before 3.1.5. | |||||
| CVE-2025-53208 | 2025-08-20 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Maya Business: from n/a through 1.2.0. | |||||
| CVE-2025-6765 | 1 Intelbras | 1 Incontrol Web | 2025-08-20 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as critical, has been found in Intelbras InControl 2.21.60.9. This issue affects some unknown processing of the file /v1/operador/ of the component HTTP PUT Request Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-55737 | 2025-08-19 | N/A | N/A | ||
| flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py. | |||||
| CVE-2025-43732 | 2025-08-18 | N/A | N/A | ||
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations. | |||||
| CVE-2025-36023 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-08-15 | N/A | 6.5 MEDIUM |
| IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key. | |||||
| CVE-2025-8770 | 1 Gitlab | 1 Gitlab | 2025-08-15 | N/A | N/A |
| An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers. | |||||
| CVE-2025-54691 | 2025-08-14 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80. | |||||
| CVE-2025-4796 | 1 Themewinter | 1 Eventin | 2025-08-13 | N/A | 8.8 HIGH |
| The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | |||||
| CVE-2025-53189 | 2025-08-11 | N/A | N/A | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ABB Aspect.This issue affects Aspect: from o before <3.08.04-s01. | |||||
| CVE-2025-5195 | 1 Gitlab | 1 Gitlab | 2025-08-08 | N/A | N/A |
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure. | |||||
| CVE-2025-46386 | 2025-08-06 | N/A | N/A | ||
| CWE-639 Authorization Bypass Through User-Controlled Key | |||||
| CVE-2025-46387 | 2025-08-06 | N/A | N/A | ||
| CWE-639 Authorization Bypass Through User-Controlled Key | |||||
| CVE-2025-24969 | 1 Combodo | 1 Itop | 2025-08-05 | N/A | N/A |
| iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue. | |||||
| CVE-2025-53944 | 1 Agpt | 1 Autogpt Platform | 2025-08-05 | N/A | 7.7 HIGH |
| AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API's get_graph_execution_results endpoint has an authorization bypass vulnerability. While it correctly validates user access to the graph_id, it fails to verify ownership of the graph_exec_id parameter, allowing authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. This is fixed in v0.6.16. | |||||
| CVE-2025-20214 | 1 Cisco | 1 Ios Xe | 2025-08-05 | N/A | 4.3 MEDIUM |
| A vulnerability in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software could allow an authenticated, remote attacker to obtain unauthorized read access to configuration or operational data. This vulnerability exists because a subtle change in inner API call behavior causes results to be filtered incorrectly. An attacker could exploit this vulnerability by using either NETCONF, RESTCONF, or gRPC Network Management Interface (gNMI) protocols and query data on paths that may have been denied by the NACM configuration. A successful exploit could allow the attacker to access data that should have been restricted according to the NACM configuration. Note: This vulnerability requires that the attacker obtain the credentials from a valid user with privileges lower than 15, and that NACM was configured to provide restricted read access for that user. | |||||
| CVE-2025-53357 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | N/A |
| GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. | |||||
| CVE-2025-5947 | 2025-08-04 | N/A | 9.8 CRITICAL | ||
| The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins. | |||||
| CVE-2024-52601 | 1 Combodo | 1 Itop | 2025-08-01 | N/A | N/A |
| iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | |||||
| CVE-2025-7947 | 1 Jishenghua | 1 Jsherp | 2025-07-30 | N/A | 8.1 HIGH |
| A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||