Search Results (1776 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1413 2026-04-15 N/A
DaVinci Resolve on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects DaVinci Resolve on MacOS in versions before 19.1.3.
CVE-2025-35999 1 Intel 1 System Firmware Update Utility (sysfwupdt) For Intel(r) Server Boards And Intel(r) Server Systems Based 2026-04-15 6.7 Medium
Incorrect permission assignment for critical resource for some System Firmware Update Utility (SysFwUpdt) for Intel(R) Server Boards and Intel(R) Server Systems Based before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
CVE-2024-11497 2026-04-15 8.8 High
An authenticated attacker can use this vulnerability to perform a privilege escalation to gain root access.
CVE-2024-5163 1 Tecno 1 Com.transsion.carlcare 2026-04-15 9.8 Critical
Improper permission settings for mobile applications (com.transsion.carlcare) may lead to user password and account security risks.
CVE-2024-46881 1 Gradle 1 Enterprise 2026-04-15 7.1 High
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.
CVE-2025-46802 1 Gnu 1 Screen 2026-04-15 6 Medium
For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.
CVE-2024-8039 1 Tecno 1 Com.afmobi.boomplayer 2026-04-15 9.8 Critical
Improper permission configurationDomain configuration vulnerability of the mobile application (com.afmobi.boomplayer) can lead to account takeover risks.
CVE-2025-41664 1 Wago 3 0750-0362, 0750-0363, 0750-0366 2026-04-15 7.5 High
A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). This access could allow the attacker to escalate privileges and modify firmware.
CVE-2025-40804 1 Siemens 1 Simatic 2026-04-15 9.1 Critical
A vulnerability has been identified in SIMATIC Virtualization as a Service (SIVaaS) (All versions). The affected application exposes a network share without any authentication. This could allow an attacker to access or alter sensitive data without proper authorization.
CVE-2025-25041 2026-04-15 5.5 Medium
A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM (root). A successful exploit could allow the creation of a Denial-of-Service (DoS) condition affecting the Microsoft Windows Operating System. This vulnerability does not affect Linux and Android based clients.
CVE-2024-39967 2026-04-15 6.5 Medium
Insecure permissions in Aginode GigaSwitch v5 allows attackers to access sensitive information via using the SCP command.
CVE-2024-12363 2026-04-15 7.1 High
Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of TeamViewer Remote Management.
CVE-2025-52873 1 Cognex 2 In-sight Camera Firmware, In-sight Explorer 2026-04-15 8.1 High
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSystemConfig functionality to modify relevant device properties (such as network settings), contradicting the security model proposed in the user manual.
CVE-2025-52992 2026-04-15 3.2 Low
The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
CVE-2025-31702 1 Dahua 2 Ipc, Sd 2026-04-15 6.8 Medium
A vulnerability exists in certain Dahua embedded products. Third-party malicious attacker with obtained normal user credentials could exploit the vulnerability to access certain data which are restricted to admin privileges, such as system-sensitive files through specific HTTP request. This may cause tampering with admin password, leading to privilege escalation. Systems with only admin account are not affected.
CVE-2024-28589 1 Axigen 1 Axigen Mail Server 2026-04-15 6.7 Medium
An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writable directory during service initialization.
CVE-2025-24481 2026-04-15 N/A
An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.
CVE-2024-22029 2026-04-15 7.8 High
Insecure permissions in the packaging of tomcat allow local users that win a race during package installation to escalate to root
CVE-2024-28955 2026-04-15 5.9 Medium
Affected devices create coredump files when crashed, storing them with world-readable permission. Any local user of the device can examine the coredump files, and research the memory contents. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
CVE-2025-34025 1 Versa 1 Concerto 2026-04-15 N/A
The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.