Search Results (11567 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-59683 1 Pexip 2 Infinity, Pexip Infinity 2026-01-05 8.2 High
Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service.
CVE-2025-66378 1 Pexip 2 Infinity, Pexip Infinity 2026-01-05 5.9 Medium
Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.
CVE-2025-58052 1 Galette 1 Galette 2026-01-05 8.1 High
Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.
CVE-2024-31452 1 Openfga 1 Openfga 2026-01-05 8.1 High
OpenFGA is a high-performance and flexible authorization/permission engine. Some end users of OpenFGA v1.5.0 or later are vulnerable to authorization bypass when calling Check or ListObjects APIs. You are very likely affected if your model involves exclusion (e.g. `a but not b`) or intersection (e.g. `a and b`). This vulnerability is fixed in v1.5.3.
CVE-2025-9549 2 Drupal, Facets Project 2 Drupal, Facets 2026-01-05 6.5 Medium
Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.
CVE-2025-14817 3 Google, Tecno, Transsion 4 Android, Factory Mode App, Hios and 1 more 2026-01-05 6.5 Medium
The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction.
CVE-2023-52642 2 Debian, Linux 2 Debian Linux, Linux Kernel 2026-01-05 7.8 High
In the Linux kernel, the following vulnerability has been resolved: media: rc: bpf attach/detach requires write permission Note that bpf attach/detach also requires CAP_NET_ADMIN.
CVE-2025-9056 1 Tecno 2 Audiolink, Com.transsion.audiosmartconnect 2026-01-02 5.3 Medium
Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation.
CVE-2024-2231 1 2code 1 Himer 2026-01-02 6.5 Medium
The allows any authenticated user to join a private group due to a missing authorization check on a function
CVE-2024-6695 1 Cozmoslabs 1 Profile Builder 2026-01-02 9.8 Critical
it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.
CVE-2025-68938 1 Gitea 1 Gitea 2026-01-02 4.3 Medium
Gitea before 1.25.2 mishandles authorization for deletion of releases.
CVE-2025-68940 1 Gitea 1 Gitea 2026-01-02 3.1 Low
In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.
CVE-2025-68941 1 Gitea 1 Gitea 2026-01-02 4.9 Medium
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
CVE-2025-66022 2 Factionsecurity, Owasp 2 Faction, Faction 2026-01-02 9.7 Critical
FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.
CVE-2025-53922 1 Galette 1 Galette 2026-01-02 4.9 Medium
Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue.
CVE-2025-15085 1 Youlai 1 Youlai-mall 2025-12-31 4.3 Medium
A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-13767 1 Mattermost 2 Mattermost, Mattermost Server 2025-12-31 4.3 Medium
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
CVE-2025-64641 1 Mattermost 2 Mattermost, Mattermost Server 2025-12-31 4.1 Medium
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
CVE-2020-36902 1 Medivision 3 Digital Signage, Medivision Digital Signage, Medivision Digital Signage Firmware 2025-12-30 9.8 Critical
UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication.
CVE-2025-15126 1 Jeecg 2 Jeecg Boot, Jeecgboot 2025-12-30 3.1 Low
A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.