Monthly
OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.
Improper ownership management in Moxa Secure Router allows low-privileged authenticated users to access exported configuration files containing hashed administrative passwords, enabling credential disclosure. The vulnerability is confined to scenarios where configuration files have been exported and requires valid user credentials to exploit; no impact to system integrity or availability has been identified.
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.
IBM OpenPages with Watson 8.3 and 9.0 could allow an authenticated user to obtain sensitive information that should only be available to privileged users.
A privilege escalation vulnerability (CVSS 2.9) that allows a bypass of build isolation. Remediation should follow standard vulnerability management procedures.
CVE-2025-3629 is a security vulnerability (CVSS 4.3) that allows an authenticated user. Remediation should follow standard vulnerability management procedures.
This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify. [CVSS 8.0 HIGH]
OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.
Improper ownership management in Moxa Secure Router allows low-privileged authenticated users to access exported configuration files containing hashed administrative passwords, enabling credential disclosure. The vulnerability is confined to scenarios where configuration files have been exported and requires valid user credentials to exploit; no impact to system integrity or availability has been identified.
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership. Rated high severity (CVSS 7.5). No vendor patch available.
IBM OpenPages with Watson 8.3 and 9.0 could allow an authenticated user to obtain sensitive information that should only be available to privileged users.
A privilege escalation vulnerability (CVSS 2.9) that allows a bypass of build isolation. Remediation should follow standard vulnerability management procedures.
CVE-2025-3629 is a security vulnerability (CVSS 4.3) that allows an authenticated user. Remediation should follow standard vulnerability management procedures.
This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify. [CVSS 8.0 HIGH]