Search Results (11574 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69414 1 Plex 1 Media Server 2026-02-27 8.5 High
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
CVE-2025-69416 1 Plex 1 Media Server 2026-02-27 5 Medium
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
CVE-2025-69417 1 Plex 1 Media Server 2026-02-27 5 Medium
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
CVE-2025-6685 1 Aten 1 Eco Dc 2026-02-26 N/A
ATEN eco DC Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of ATEN eco DC. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based interface. The issue results from the lack of validating the assigned user role when handling requests. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26647.
CVE-2025-67856 1 Moodle 1 Moodle 2026-02-26 5.4 Medium
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features.
CVE-2024-45328 1 Fortinet 1 Fortisandbox 2026-02-26 7.1 High
An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu.
CVE-2023-52163 1 Digiever 4 Ds-2105 Pro, Ds-2105 Pro\+, Ds-2105 Pro\+ Firmware and 1 more 2026-02-26 8.8 High
Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-21403 1 Microsoft 2 On-prem Data Gateway, Sap Hana Enabled Sso For Onpremises Data Gateway 2026-02-26 6.4 Medium
On-Premises Data Gateway Information Disclosure Vulnerability
CVE-2025-24434 1 Adobe 3 Commerce, Commerce B2b, Magento 2026-02-26 9.1 Critical
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
CVE-2025-21556 1 Oracle 2 Agile Plm Framework, Agile Product Lifecycle Management 2026-02-26 9.9 Critical
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM Framework. While the vulnerability is in Oracle Agile PLM Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
CVE-2025-21569 1 Oracle 1 Hyperion Data Relationship Management 2026-02-26 6.6 Medium
Vulnerability in the Oracle Hyperion Data Relationship Management product of Oracle Hyperion (component: Web Services). The supported version that is affected is 11.2.19.0.000. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Data Relationship Management. Successful attacks of this vulnerability can result in takeover of Oracle Hyperion Data Relationship Management. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
CVE-2025-21396 1 Microsoft 2 Account, Micrososft Account 2026-02-26 8.2 High
Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-21416 1 Microsoft 1 Azure Virtual Desktop 2026-02-26 8.5 High
Missing authorization in Azure Virtual Desktop allows an authorized attacker to elevate privileges over a network.
CVE-2025-36546 1 F5 2 F5os-a, F5os-c 2026-02-26 8.1 High
On an F5OS system, if the root user had previously configured the system to allow login via SSH key-based authentication, and then enabled Appliance Mode; access via SSH key-based authentication is still allowed. For an attacker to exploit this vulnerability they must obtain the root user's SSH private key.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-46265 1 F5 2 F5os-a, F5os-c 2026-02-26 8.8 High
On F5OS, an improper authorization vulnerability exists where remotely authenticated users (LDAP, RADIUS, TACACS+) may be authorized with higher privilege F5OS roles. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2025-26330 1 Dell 1 Powerscale Onefs 2026-02-26 7 High
Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an incorrect authorization vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account.
CVE-2025-43561 1 Adobe 1 Coldfusion 2026-02-26 9.1 Critical
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
CVE-2025-43564 1 Adobe 1 Coldfusion 2026-02-26 9.1 Critical
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper authorization. Exploitation of this issue does not require user interaction, and scope is changed
CVE-2025-43565 1 Adobe 1 Coldfusion 2026-02-26 8.4 High
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.
CVE-2025-25251 1 Fortinet 1 Forticlient 2026-02-26 7.4 High
An Incorrect Authorization vulnerability [CWE-863] in FortiClient Mac 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14 may allow a local attacker to escalate privileges via crafted XPC messages.