| CVE-2020-8206 | An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP. | high | |
| CVE-2023-28472 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. | medium | |
| CVE-2023-5920 | Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input. | low | |
| CVE-2024-7634 | NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. | medium | |
| CVE-2026-1697 | The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included. | medium | |
| CVE-2021-46771 | Insufficient validation of addresses in AMD Secure Processor (ASP) firmware system call may potentially lead to arbitrary code execution by a compromised user application. | high | |
| CVE-2026-27445 | SEPPmail Secure Email Gateway before version 15.0.1 does not properly verify that a PGP signature was generated by the expected key, allowing signature spoofing. | medium | |
| CVE-2012-2495 | The HostScan downloader implementation in Cisco AnyConnect Secure Mobility Client 3.x before 3.0 MR8 and Cisco Secure Desktop before 3.6.6020 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtx74235. | high | |
| CVE-2009-1978 | Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows remote authenticated users to execute arbitrary code with SYSTEM privileges via vectors involving property_box.php. | critical | |
| CVE-2017-18020 | On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and Exynos chipsets, attackers can execute arbitrary code in the bootloader because S Boot omits a size check during a copy of ramfs data to memory. The Samsung ID is SVE-2017-10598. | high | |
| CVE-2025-52364 | Insecure Permissions vulnerability in Tenda CP3 Pro Firmware V22.5.4.93 allows the telnet service (telnetd) by default at boot via the initialization script /etc/init.d/eth.sh. This allows remote attackers to connect to the device s shell over the network, potentially without authentication if default or weak credentials are present | high | |
| CVE-2008-3901 | Software suspend 2 2-2.2.1, when used with the Linux kernel 2.6.16, stores pre-boot authentication passwords in the BIOS Keyboard buffer and does not clear this buffer after use, which allows local users to obtain sensitive information by reading the physical memory locations associated with this buffer. | high | |
| CVE-2016-6594 | Blue Coat Advanced Secure Gateway 6.6, CacheFlow 3.4, ProxySG 6.5 and 6.6 allows remote attackers to bypass blocked requests, user authentication, and payload scanning. | high | |
| CVE-2017-14935 | Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information. | high | |
| CVE-2021-26396 | Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest. | medium | |
| CVE-2023-5594 | Improper validation of the server’s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted. | high | |
| CVE-2023-47147 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow an attacker to overwrite a log message under specific conditions. IBM X-Force ID: 270598. | medium | |
| CVE-2015-2248 | Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark. | high | |
| CVE-2015-6305 | Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211. | high | |
| CVE-2023-30222 | An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping. | high | |
| CVE-2021-44751 | A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction. | medium | |
| CVE-2018-11971 | Interrupt exit code flow may undermine access control policy set forth by secure world can lead to potential secure asset leakage in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, in MDM9206, MDM9607, MDM9650, MDM9655, QCS605, SD 410/12, SD 615/16/SD 415, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SD 8CX, SDA660, SDM630, SDM660, SXR1130 | medium | |
| CVE-2019-1044 | A security feature bypass vulnerability exists when Windows Secure Kernel Mode fails to properly handle objects in memory. To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL). The update addresses the vulnerability by correcting how Windows Secure Kernel Mode handles objects in memory to properly enforce VTLs. | medium | |
| CVE-2025-54087 | CVE-2025-54087 is a server-side request forgery vulnerability in Secure Access prior to version 14.10. Attackers with administrative privileges can publish a crafted test HTTP request originating from the Secure Access server. The attack complexity is high, there are no attack requirements, and user interaction is required. There is no direct impact to confidentiality, integrity, or availability. There is a low severity subsequent system impact to integrity. | low | |
| CVE-2020-8243 | A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. | high | |
| CVE-2012-1685 | Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.6 allows remote attackers to affect integrity via unknown vectors related to Core. | high | |
| CVE-2018-2500 | Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted. | medium | |
| CVE-2020-8221 | A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface. | medium | |
| CVE-2020-12930 | Improper parameters handling in AMD Secure Processor (ASP) drivers may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity. | high | |
| CVE-2023-3488 | Uninitialized buffer in GBL parser in Silicon Labs GSDK v4.3.0 and earlier allows attacker to leak data from Secure stack via malformed GBL file. | medium | |
| CVE-2023-46810 | A local privilege escalation vulnerability in Ivanti Secure Access Client for Linux before 22.7R1, allows a low privileged user to execute code as root. | high | |
| CVE-2002-2012 | Unknown vulnerability in Apache 1.3.19 running on HP Secure OS for Linux 1.0 allows remote attackers to cause "unexpected results" via an HTTP request. | high | |
| CVE-2004-2544 | Admin Console in Secure Computing Corporation Sidewinder G2 6.1.0.01 exports private keys when exporting firewall certificates, which might allow attackers to obtain sensitive information. | high | |
| CVE-2020-8260 | A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | high | |
| CVE-2020-8263 | A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file. | medium | |
| CVE-2022-39912 | Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder. | low | |
| CVE-2023-3209 | The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. | low | |
| CVE-2023-28869 | Support Assistant in NCP Secure Enterprise Client before 12.22 allows attackers read the contents of arbitrary files on the operating system by creating a symbolic link. | medium | |
| CVE-2006-2092 | Unspecified vulnerability in HP StorageWorks Secure Path for Windows 4.0C-SP2 before 20060419 allows remote attackers to cause an unspecified denial of service via unknown vectors. | high | |
| CVE-2000-0602 | Secure Locate (slocate) in Red Hat Linux allows local users to gain privileges via a malformed configuration file that is specified in the LOCATE_PATH environmental variable. | high | |
| CVE-2001-1146 | AllCommerce with debugging enabled in EnGarde Secure Linux 1.0.1 creates temporary files with predictable names, which allows local users to modify files via a symlink attack. | medium | |
| CVE-2009-0428 | SQL injection vulnerability in CategoryManager/upload_image_category.asp in DMXReady Secure Document Library 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter. | critical | |
| CVE-2013-3834 | Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5 allows remote attackers to affect availability via unknown vectors related to ttaauxserv. | high | |
| CVE-2016-0501 | Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 5.2 allows remote attackers to affect availability via vectors related to SGD Core. | high | |
| CVE-2020-12931 | Improper parameters handling in the AMD Secure Processor (ASP) kernel may allow a privileged attacker to elevate their privileges potentially leading to loss of integrity. | high | |
| CVE-2023-28870 | Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts. | medium | |
| CVE-2025-7390 | A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication. | critical | |
| CVE-2001-0739 | Guardian Digital WebTool in EnGarde Secure Linux 1.0.1 allows restarted services to inherit some environmental variables, which could allow local users to gain root privileges. | high | |
| CVE-2019-17190 | A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the Update.ini file stored in this location, an attacker with low privileges can create a hard link named Update.ini in this folder, and make it point to a file writable by NT AUTHORITY\SYSTEM. Once AvastBrowserUpdate.exe is triggered by the update check functionality, the DACL is set to a misconfigured value on the crafted Update.ini and, consequently, to the target file that was previously not writable by the low-privileged attacker. | high | |
| CVE-2021-3179 | GGLocker iOS application, contains an insecure data storage of the password hash value which results in an authentication bypass. | medium | |
