Search criteria
44 vulnerabilities
CVE-2026-40951 (GCVE-0-2026-40951)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:22 – Updated: 2026-05-01 14:29
VLAI?
Title
Memory corruption in Secure Access Windows clients prior to 14.50
Summary
CVE-2026-40951 is a memory corruption vulnerability on Secure Access
Windows clients prior to 14.50. Attackers with local control of the
Windows client can send malformed data to an API and trigger a denial of
service.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:29:02.301464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:29:48.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Windows client"
],
"platforms": [
"Windows"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-40951 is a memory corruption vulnerability on Secure Access \nWindows clients prior to 14.50. Attackers with local control of the \nWindows client can send malformed data to an API and trigger a denial of\n service."
}
],
"value": "CVE-2026-40951 is a memory corruption vulnerability on Secure Access \nWindows clients prior to 14.50. Attackers with local control of the \nWindows client can send malformed data to an API and trigger a denial of\n service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:22:16.201Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40951"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory corruption in Secure Access Windows clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-40951",
"datePublished": "2026-04-30T20:22:16.201Z",
"dateReserved": "2026-04-16T00:19:03.573Z",
"dateUpdated": "2026-05-01T14:29:48.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40950 (GCVE-0-2026-40950)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:19 – Updated: 2026-05-01 14:31
VLAI?
Title
Buffer overflow in the Secure Access server prior to 14.50
Summary
CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access
server prior to 14.50. Attackers with control of a modified client can
send a specially crafted message to the server and cause a denial of
service
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:30:52.080810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:31:19.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Server"
],
"platforms": [
"Windows"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access \nserver prior to 14.50. Attackers with control of a modified client can \nsend a specially crafted message to the server and cause a denial of \nservice"
}
],
"value": "CVE-2026-40950 is a buffer overflow vulnerability in the Secure Access \nserver prior to 14.50. Attackers with control of a modified client can \nsend a specially crafted message to the server and cause a denial of \nservice"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:19:11.609Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40950"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer overflow in the Secure Access server prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-40950",
"datePublished": "2026-04-30T20:19:11.609Z",
"dateReserved": "2026-04-16T00:19:03.573Z",
"dateUpdated": "2026-05-01T14:31:19.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40949 (GCVE-0-2026-40949)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:16 – Updated: 2026-05-01 14:32
VLAI?
Title
Buffer overflow in Windows clients prior to 14.50
Summary
CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access
Windows client prior to 14.50. Attackers with local control of the
Windows client can use it to trigger a denial of service.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:31:44.551419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:32:04.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Windows client"
],
"platforms": [
"Windows"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to trigger a denial of service."
}
],
"value": "CVE-2026-40949 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to trigger a denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:16:19.912Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40949"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer overflow in Windows clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-40949",
"datePublished": "2026-04-30T20:16:19.912Z",
"dateReserved": "2026-04-16T00:19:03.573Z",
"dateUpdated": "2026-05-01T14:32:04.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33452 (GCVE-0-2026-33452)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:12 – Updated: 2026-05-01 14:30
VLAI?
Title
Buffer overflow in Windows clients prior to 14.50
Summary
CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access
Windows client prior to 14.50. Attackers with local control of the
Windows client can use it to ‘blue screen’ the system.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:30:08.157097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:30:27.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Windows client"
],
"platforms": [
"Windows"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to \u2018blue screen\u2019 the system."
}
],
"value": "CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access \nWindows client prior to 14.50. Attackers with local control of the \nWindows client can use it to \u2018blue screen\u2019 the system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:12:16.166Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer overflow in Windows clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33452",
"datePublished": "2026-04-30T20:12:16.166Z",
"dateReserved": "2026-03-19T23:04:05.696Z",
"dateUpdated": "2026-05-01T14:30:27.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33451 (GCVE-0-2026-33451)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:08 – Updated: 2026-05-01 14:36
VLAI?
Title
Arbitrary read/write vulnerability in Windows clients prior to 14.50
Summary
CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure
Access Windows client prior to 14.50. Attackers with local control of
the Windows client can send malformed data to an API and elevate their
level of privilege to system.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:36:03.654479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:36:19.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Windows client"
],
"platforms": [
"Windows"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system."
}
],
"value": "CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure \nAccess Windows client prior to 14.50. Attackers with local control of \nthe Windows client can send malformed data to an API and elevate their \nlevel of privilege to system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:08:03.213Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary read/write vulnerability in Windows clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33451",
"datePublished": "2026-04-30T20:08:03.213Z",
"dateReserved": "2026-03-19T23:04:05.696Z",
"dateUpdated": "2026-05-01T14:36:19.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33450 (GCVE-0-2026-33450)
Vulnerability from cvelistv5 – Published: 2026-04-30 20:04 – Updated: 2026-05-01 14:35
VLAI?
Title
Out of bounds read in Secure Access MacOS clients prior to 14.50
Summary
CVE-2026-33450 is an out of bounds read vulnerability in the Secure
Access MacOS client prior to 14.50. Attackers with control of a modified
server can send a malformed packet to the client causing a denial of
service.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:35:24.810504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:35:43.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Client"
],
"platforms": [
"MacOS"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33450 is an out of bounds read vulnerability in the Secure \nAccess MacOS client prior to 14.50. Attackers with control of a modified\n server can send a malformed packet to the client causing a denial of \nservice. \u0026nbsp;"
}
],
"value": "CVE-2026-33450 is an out of bounds read vulnerability in the Secure \nAccess MacOS client prior to 14.50. Attackers with control of a modified\n server can send a malformed packet to the client causing a denial of \nservice."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:04:14.383Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out of bounds read in Secure Access MacOS clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33450",
"datePublished": "2026-04-30T20:04:14.383Z",
"dateReserved": "2026-03-19T23:04:05.696Z",
"dateUpdated": "2026-05-01T14:35:43.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33449 (GCVE-0-2026-33449)
Vulnerability from cvelistv5 – Published: 2026-04-30 19:52 – Updated: 2026-05-01 14:33
VLAI?
Title
Message handler buffer overflow in clients prior to 14.50
Summary
CVE-2026-33449 is a buffer overflow in a message handling function of
the Secure Access client prior to 14.50. Attackers with control of
a modified server can send a cryptographically valid message to the
client, overwriting a small portion of memory conceivably leading to a
denial of service.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:32:57.858228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:33:13.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Client"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33449 is a buffer overflow in a message handling function of \nthe Secure Access client prior to 14.50. Attackers with control of \na modified server can send a cryptographically valid message to the \nclient, overwriting a small portion of memory conceivably leading to a \ndenial of service."
}
],
"value": "CVE-2026-33449 is a buffer overflow in a message handling function of \nthe Secure Access client prior to 14.50. Attackers with control of \na modified server can send a cryptographically valid message to the \nclient, overwriting a small portion of memory conceivably leading to a \ndenial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T19:52:01.980Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33449"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Message handler buffer overflow in clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33449",
"datePublished": "2026-04-30T19:52:01.980Z",
"dateReserved": "2026-03-19T23:04:05.696Z",
"dateUpdated": "2026-05-01T14:33:13.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33448 (GCVE-0-2026-33448)
Vulnerability from cvelistv5 – Published: 2026-04-30 19:47 – Updated: 2026-05-01 14:35
VLAI?
Title
Format string vulnerability in MacOS clients prior to 14.50
Summary
CVE-2026-33448 is a format string vulnerability in the logging subsystem
of Secure Access client for MacOS prior to 14.50. Attackers with
control of a modified server can force the client to dump the contents
of a small portion of memory to the log files potentially revealing
secrets.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:34:04.320380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:35:03.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Client"
],
"platforms": [
"MacOS"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33448 is a format string vulnerability in the logging subsystem\n of Secure Access client for MacOS prior to 14.50. Attackers with \ncontrol of a modified server can force the client to dump the contents \nof a small portion of memory to the log files potentially revealing \nsecrets."
}
],
"value": "CVE-2026-33448 is a format string vulnerability in the logging subsystem\n of Secure Access client for MacOS prior to 14.50. Attackers with \ncontrol of a modified server can force the client to dump the contents \nof a small portion of memory to the log files potentially revealing \nsecrets."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T19:47:50.031Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Format string vulnerability in MacOS clients prior to 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33448",
"datePublished": "2026-04-30T19:47:50.031Z",
"dateReserved": "2026-03-19T23:04:05.695Z",
"dateUpdated": "2026-05-01T14:35:03.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33447 (GCVE-0-2026-33447)
Vulnerability from cvelistv5 – Published: 2026-04-30 19:43 – Updated: 2026-05-01 14:32
VLAI?
Summary
CVE-2026-33447 is a buffer overflow in a message parsing function of the
Secure Access client prior to 14.50. Attackers with control of a
modified server can send a special packet that can overwrite a small
portion of memory conceivably leading to memory corruption or denial of
service.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T14:32:25.804347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T14:32:40.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Client"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33447 is a buffer overflow in a message parsing function of the\n Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or denial of \nservice."
}
],
"value": "CVE-2026-33447 is a buffer overflow in a message parsing function of the\n Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or denial of \nservice."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T19:43:27.437Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33447",
"datePublished": "2026-04-30T19:43:27.437Z",
"dateReserved": "2026-03-19T23:04:05.695Z",
"dateUpdated": "2026-05-01T14:32:40.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33446 (GCVE-0-2026-33446)
Vulnerability from cvelistv5 – Published: 2026-04-30 19:36 – Updated: 2026-04-30 20:11
VLAI?
Title
Buffer overflow in client authentication prior to version 14.50
Summary
CVE-2026-33446 is a buffer overflow in the authentication sub-system of
the Secure Access client prior to 14.50. Attackers with control of a
modified server can send a special packet that can overwrite a small
portion of memory conceivably leading to memory corruption or a denial
of service.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Software | Secure Access |
Affected:
0 , < 14.50
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T20:10:07.269398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T20:11:21.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Client"
],
"product": "Secure Access",
"vendor": "Absolute Software",
"versions": [
{
"lessThan": "14.50",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-33446 is a buffer overflow in the authentication sub-system of \nthe Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or a denial \nof service."
}
],
"value": "CVE-2026-33446 is a buffer overflow in the authentication sub-system of \nthe Secure Access client prior to 14.50. Attackers with control of a \nmodified server can send a special packet that can overwrite a small \nportion of memory conceivably leading to memory corruption or a denial \nof service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T19:39:31.464Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Buffer overflow in client authentication prior to version 14.50",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-33446",
"datePublished": "2026-04-30T19:36:37.319Z",
"dateReserved": "2026-03-19T23:04:05.695Z",
"dateUpdated": "2026-04-30T20:11:21.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0519 (GCVE-0-2026-0519)
Vulnerability from cvelistv5 – Published: 2026-01-17 01:13 – Updated: 2026-01-20 18:39
VLAI?
Title
Information Disclosure in Secure Access Between 12.70 and 14.20
Summary
In Secure Access 12.70 and prior to 14.20, the logging
subsystem may write an unredacted authentication token to logs under
certain configurations. Any party with access to those logs could read
the token and reuse it to access an integrated system.
Severity ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
12.70 , < 14.20
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:37:55.973582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:39:13.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.20",
"status": "affected",
"version": "12.70",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Secure Access 12.70 and prior to 14.20, the logging \nsubsystem may write an unredacted authentication token to logs under \ncertain configurations. Any party with access to those logs could read \nthe token and reuse it to access an integrated system."
}
],
"value": "In Secure Access 12.70 and prior to 14.20, the logging \nsubsystem may write an unredacted authentication token to logs under \ncertain configurations. Any party with access to those logs could read \nthe token and reuse it to access an integrated system."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T01:13:59.183Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure in Secure Access Between 12.70 and 14.20",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-0519",
"datePublished": "2026-01-17T01:13:59.183Z",
"dateReserved": "2025-12-12T17:25:37.542Z",
"dateUpdated": "2026-01-20T18:39:13.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0518 (GCVE-0-2026-0518)
Vulnerability from cvelistv5 – Published: 2026-01-17 01:09 – Updated: 2026-01-20 18:37
VLAI?
Title
XSS in Secure Access Consoles prior to 14.20
Summary
CVE-2026-0518 is a cross-site scripting vulnerability in versions of
Secure Access prior to 14.20. An attacker with administrative privileges
can interfere with another administrator’s use of the console.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 14.20
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:36:53.770005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:37:15.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.20",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-0518 is a cross-site scripting vulnerability in versions of \nSecure Access prior to 14.20. An attacker with administrative privileges\n can interfere with another administrator\u2019s use of the console."
}
],
"value": "CVE-2026-0518 is a cross-site scripting vulnerability in versions of \nSecure Access prior to 14.20. An attacker with administrative privileges\n can interfere with another administrator\u2019s use of the console."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T01:09:29.268Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Secure Access Consoles prior to 14.20",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-0518",
"datePublished": "2026-01-17T01:09:29.268Z",
"dateReserved": "2025-12-12T17:25:32.054Z",
"dateUpdated": "2026-01-20T18:37:15.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0517 (GCVE-0-2026-0517)
Vulnerability from cvelistv5 – Published: 2026-01-17 01:04 – Updated: 2026-01-20 18:34
VLAI?
Title
Denial of Service in Secure Access Servers Prior to 14.20.
Summary
CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure
Access Server prior to 14.20. An attacker can send a specially crafted packet
to a server and cause the server to crash
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 14.20
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:33:24.121292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:34:14.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.20",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure\n Access Server prior to 14.20. An attacker can send a specially crafted packet \nto a server and cause the server to crash"
}
],
"value": "CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure\n Access Server prior to 14.20. An attacker can send a specially crafted packet \nto a server and cause the server to crash"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T01:04:55.634Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of Service in Secure Access Servers Prior to 14.20.",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2026-0517",
"datePublished": "2026-01-17T01:04:55.634Z",
"dateReserved": "2025-12-12T17:25:10.814Z",
"dateUpdated": "2026-01-20T18:34:14.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59596 (GCVE-0-2025-59596)
Vulnerability from cvelistv5 – Published: 2025-11-04 22:51 – Updated: 2025-11-05 14:18
VLAI?
Summary
CVE-2025-59596 is a denial-of-service vulnerability in Secure Access
Windows client versions 12.0 to 14.10 that is addressed in version
14.12. If a local networking policy is active, attackers on an adjacent
network may be able to send a crafted packet and cause the client system
to crash.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
12.0 , < 14.12
(Client)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:17:06.819066Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:18:58.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.12",
"status": "affected",
"version": "12.0",
"versionType": "Client"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-59596 is a denial-of-service vulnerability in Secure Access \nWindows client versions 12.0 to 14.10 that is addressed in version \n14.12. If a local networking policy is active, attackers on an adjacent \nnetwork may be able to send a crafted packet and cause the client system\n to crash."
}
],
"value": "CVE-2025-59596 is a denial-of-service vulnerability in Secure Access \nWindows client versions 12.0 to 14.10 that is addressed in version \n14.12. If a local networking policy is active, attackers on an adjacent \nnetwork may be able to send a crafted packet and cause the client system\n to crash."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T22:51:39.048Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-59596"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-59596",
"datePublished": "2025-11-04T22:51:31.244Z",
"dateReserved": "2025-09-17T19:43:47.507Z",
"dateUpdated": "2025-11-05T14:18:58.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59595 (GCVE-0-2025-59595)
Vulnerability from cvelistv5 – Published: 2025-11-04 22:46 – Updated: 2025-12-01 22:39
VLAI?
Summary
CVE-2025-59595 is an internally discovered denial of service
vulnerability in versions of Secure Access prior to 14.12. An attacker
can send a specially crafted packet to a server in a non-default
configuration and cause the server to crash.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute | Secure Access |
Affected:
0 , < 14.12
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:26:03.003122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T22:39:46.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute",
"versions": [
{
"lessThan": "14.12",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-59595 is an internally discovered denial of service \nvulnerability in versions of Secure Access prior to 14.12. An attacker \ncan send a specially crafted packet to a server in a non-default \nconfiguration and cause the server to crash."
}
],
"value": "CVE-2025-59595 is an internally discovered denial of service \nvulnerability in versions of Secure Access prior to 14.12. An attacker \ncan send a specially crafted packet to a server in a non-default \nconfiguration and cause the server to crash."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T22:57:45.870Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-59595"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-59595",
"datePublished": "2025-11-04T22:46:38.884Z",
"dateReserved": "2025-09-17T19:43:47.506Z",
"dateUpdated": "2025-12-01T22:39:46.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54089 (GCVE-0-2025-54089)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:15 – Updated: 2025-10-03 14:59
VLAI?
Title
Cross-site Scripting vulnerability in Secure Access prior to 14.10
Summary
CVE-2025-54089 is a cross-site scripting vulnerability in versions
of secure access prior to 14.10. Attackers with administrative access to the
console can interfere with another administrator’s access to the console. The
attack complexity is low; there are no attack requirements. Privileges required
to execute the attack are high and the victim must actively participate in the
attack sequence. There is no impact to confidentiality or availability, there
is a low impact to integrity.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 14.10
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T14:59:41.891024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T14:59:45.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "14.10",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54089 is a cross-site scripting vulnerability in versions\nof secure access prior to 14.10. Attackers with administrative access to the\nconsole can interfere with another administrator\u2019s access to the console. The\nattack complexity is low; there are no attack requirements. Privileges required\nto execute the attack are high and the victim must actively participate in the\nattack sequence. There is no impact to confidentiality or availability, there\nis a low impact to integrity.\u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "CVE-2025-54089 is a cross-site scripting vulnerability in versions\nof secure access prior to 14.10. Attackers with administrative access to the\nconsole can interfere with another administrator\u2019s access to the console. The\nattack complexity is low; there are no attack requirements. Privileges required\nto execute the attack are high and the victim must actively participate in the\nattack sequence. There is no impact to confidentiality or availability, there\nis a low impact to integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:15:09.464Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54089"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in Secure Access prior to 14.10",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54089",
"datePublished": "2025-10-02T20:15:09.464Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-03T14:59:45.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54088 (GCVE-0-2025-54088)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:10 – Updated: 2025-10-07 19:26
VLAI?
Title
Open Redirect in Secure Access prior to 14.10
Summary
CVE-2025-54088 is an open-redirect vulnerability in Secure
Access prior to version 14.10. Attackers with access to the console can
redirect victims to an arbitrary URL. The attack complexity is low, attack
requirements are present, no privileges are required, and users must actively
participate in the attack. Impact to confidentiality is low and there is no
impact to integrity or availability. There are high severity impacts to
confidentiality, integrity, availability in subsequent systems.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:26:12.951361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:26:28.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54088 is an open-redirect vulnerability in Secure\nAccess prior to version 14.10. Attackers with access to the console can\nredirect victims to an arbitrary URL. The attack complexity is low, attack\nrequirements are present, no privileges are required, and users must actively\nparticipate in the attack. Impact to confidentiality is low and there is no\nimpact to integrity or availability. There are high severity impacts to\nconfidentiality, integrity, availability in subsequent systems.\u003c/p\u003e"
}
],
"value": "CVE-2025-54088 is an open-redirect vulnerability in Secure\nAccess prior to version 14.10. Attackers with access to the console can\nredirect victims to an arbitrary URL. The attack complexity is low, attack\nrequirements are present, no privileges are required, and users must actively\nparticipate in the attack. Impact to confidentiality is low and there is no\nimpact to integrity or availability. There are high severity impacts to\nconfidentiality, integrity, availability in subsequent systems."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:10:52.425Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54088"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open Redirect in Secure Access prior to 14.10",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54088",
"datePublished": "2025-10-02T20:10:52.425Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-07T19:26:28.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54087 (GCVE-0-2025-54087)
Vulnerability from cvelistv5 – Published: 2025-10-02 20:05 – Updated: 2025-10-07 19:27
VLAI?
Title
Server-side request forgery in Secure Access
Summary
CVE-2025-54087 is a server-side request forgery
vulnerability in Secure Access prior to version 14.10. Attackers with
administrative privileges can publish a crafted test HTTP request originating
from the Secure Access server. The attack complexity is high, there are no
attack requirements, and user interaction is required. There is no direct
impact to confidentiality, integrity, or availability. There is a low severity
subsequent system impact to integrity.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:26:49.025936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:27:01.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Consile",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54087 is a server-side request forgery\nvulnerability in Secure Access prior to version 14.10. Attackers with\nadministrative privileges can publish a crafted test HTTP request originating\nfrom the Secure Access server. The attack complexity is high, there are no\nattack requirements, and user interaction is required. There is no direct\nimpact to confidentiality, integrity, or availability. There is a low severity\nsubsequent system impact to integrity. \u003c/p\u003e"
}
],
"value": "CVE-2025-54087 is a server-side request forgery\nvulnerability in Secure Access prior to version 14.10. Attackers with\nadministrative privileges can publish a crafted test HTTP request originating\nfrom the Secure Access server. The attack complexity is high, there are no\nattack requirements, and user interaction is required. There is no direct\nimpact to confidentiality, integrity, or availability. There is a low severity\nsubsequent system impact to integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T20:05:38.092Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54087"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-side request forgery in Secure Access",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54087",
"datePublished": "2025-10-02T20:05:38.092Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-07T19:27:01.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54086 (GCVE-0-2025-54086)
Vulnerability from cvelistv5 – Published: 2025-10-02 19:56 – Updated: 2025-10-06 18:35
VLAI?
Title
Excess Permissions in Warehouse
Summary
CVE-2025-54086 is an excess permissions vulnerability in the
Warehouse component of Absolute Secure Access prior to version 14.10. Attackers
with access to the local file system can read the Java keystore file. The
attack complexity is low, there are no attack requirements, the privileges
required are low and no user interaction is required. Impact to confidentiality
is low, there is no impact to integrity or availability.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < <14.10
(server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:35:11.272236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:35:14.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Warehouse",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "\u003c14.10",
"status": "affected",
"version": "0",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54086 is an excess permissions vulnerability in the\nWarehouse component of Absolute Secure Access prior to version 14.10. Attackers\nwith access to the local file system can read the Java keystore file. The\nattack complexity is low, there are no attack requirements, the privileges\nrequired are low and no user interaction is required. Impact to confidentiality\nis low, there is no impact to integrity or availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-54086 is an excess permissions vulnerability in the\nWarehouse component of Absolute Secure Access prior to version 14.10. Attackers\nwith access to the local file system can read the Java keystore file. The\nattack complexity is low, there are no attack requirements, the privileges\nrequired are low and no user interaction is required. Impact to confidentiality\nis low, there is no impact to integrity or availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T19:56:37.373Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54086"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Excess Permissions in Warehouse",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54086",
"datePublished": "2025-10-02T19:56:37.373Z",
"dateReserved": "2025-07-16T17:10:03.453Z",
"dateUpdated": "2025-10-06T18:35:14.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49082 (GCVE-0-2025-49082)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:45 – Updated: 2025-07-31 13:30
VLAI?
Title
Permissions bypass vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56
Summary
CVE-2025-49082 is a vulnerability in the management console
of Absolute Secure Access prior to version 13.56. Attackers with administrative
access to the console and who have been assigned a certain set of permissions
can bypass those permissions to improperly read other settings. The attack
complexity is low, there are no preexisting attack requirements; the privileges
required are high, and there is no user interaction required. The impact to
system confidentiality is low, there is no impact to system availability or
integrity.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.56
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:28:59.442075Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:30:00.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-49082 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read other settings. The attack\ncomplexity is low, there are no preexisting attack requirements; the privileges\nrequired are high, and there is no user interaction required. The impact to\nsystem confidentiality is low, there is no impact to system availability or\nintegrity. \u003c/p\u003e"
}
],
"value": "CVE-2025-49082 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read other settings. The attack\ncomplexity is low, there are no preexisting attack requirements; the privileges\nrequired are high, and there is no user interaction required. The impact to\nsystem confidentiality is low, there is no impact to system availability or\nintegrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:45:30.677Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49082"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Permissions bypass vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49082",
"datePublished": "2025-07-30T23:45:30.677Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-07-31T13:30:00.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54085 (GCVE-0-2025-54085)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:40 – Updated: 2025-07-31 13:31
VLAI?
Title
Elevation of privilege vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56
Summary
CVE-2025-54085 is a vulnerability in the management console
of Absolute Secure Access prior to version 13.56. Attackers with administrative
access to the console and who have been assigned a certain set of permissions
can bypass those permissions to improperly read or change other settings. The
attack complexity is low, there are no preexisting attack requirements; the
privileges required are high, and there is no user interaction required. The
impact to system confidentiality and integrity is low, there is no impact to
system availability.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.56
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:30:40.243410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:31:58.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-54085 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read or change other settings. The\nattack complexity is low, there are no preexisting attack requirements; the\nprivileges required are high, and there is no user interaction required. The\nimpact to system confidentiality and integrity is low, there is no impact to\nsystem availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-54085 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess to the console and who have been assigned a certain set of permissions\ncan bypass those permissions to improperly read or change other settings. The\nattack complexity is low, there are no preexisting attack requirements; the\nprivileges required are high, and there is no user interaction required. The\nimpact to system confidentiality and integrity is low, there is no impact to\nsystem availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:40:28.441Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-54085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Elevation of privilege vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-54085",
"datePublished": "2025-07-30T23:40:28.441Z",
"dateReserved": "2025-07-16T17:10:03.452Z",
"dateUpdated": "2025-07-31T13:31:58.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49084 (GCVE-0-2025-49084)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:36 – Updated: 2025-07-31 13:33
VLAI?
Title
Elevation of privilege vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56
Summary
CVE-2025-49084 is a vulnerability in the management console
of Absolute Secure Access prior to version 13.56. Attackers with administrative
access can overwrite policy rules without the requisite permissions. The attack
complexity is low, attack requirements are present, privileges required are
high and no user interaction is required. There is no impact to
confidentiality, the impact to integrity is low, and there is no impact to
availability. The impact to confidentiality and availability of subsequent systems
is high and the impact to the integrity of subsequent systems is low.
Severity ?
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolutee Security | Secure Access |
Affected:
0 , < 13.56
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:33:22.873986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:33:49.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolutee Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-49084 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess can overwrite policy rules without the requisite permissions. The attack\ncomplexity is low, attack requirements are present, privileges required are\nhigh and no user interaction is required. There is no impact to\nconfidentiality, the impact to integrity is low, and there is no impact to\navailability. The impact to confidentiality and availability of subsequent systems\nis high and the impact to the integrity of subsequent systems is low. \u003c/p\u003e"
}
],
"value": "CVE-2025-49084 is a vulnerability in the management console\nof Absolute Secure Access prior to version 13.56. Attackers with administrative\naccess can overwrite policy rules without the requisite permissions. The attack\ncomplexity is low, attack requirements are present, privileges required are\nhigh and no user interaction is required. There is no impact to\nconfidentiality, the impact to integrity is low, and there is no impact to\navailability. The impact to confidentiality and availability of subsequent systems\nis high and the impact to the integrity of subsequent systems is low."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:36:17.426Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49084"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Elevation of privilege vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49084",
"datePublished": "2025-07-30T23:36:17.426Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-07-31T13:33:49.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49083 (GCVE-0-2025-49083)
Vulnerability from cvelistv5 – Published: 2025-07-30 23:30 – Updated: 2025-07-31 13:37
VLAI?
Title
Data deserialization vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56
Summary
CVE-2025-49083 is a vulnerability in the management console
of Absolute Secure Access after version 12.00 and prior to version 13.56.
Attackers with administrative access to the console can cause unsafe content to
be deserialized and executed in the security context of the console. The attack
complexity is low and there are no attack requirements. Privileges required are
high and there is no user interaction required. The impact to confidentiality
is low, impact to integrity is high and there is no impact to availability. The
impact to the confidentiality and integrity of subsequent systems is low and
there is no subsequent system impact to availability.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
12.00 , < 13.56
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:35:20.525138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:37:21.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.56",
"status": "affected",
"version": "12.00",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCVE-2025-49083 is a vulnerability in the management console\nof Absolute Secure Access after version 12.00 and prior to version 13.56.\nAttackers with administrative access to the console can cause unsafe content to\nbe deserialized and executed in the security context of the console. The attack\ncomplexity is low and there are no attack requirements. Privileges required are\nhigh and there is no user interaction required. The impact to confidentiality\nis low, impact to integrity is high and there is no impact to availability. The\nimpact to the confidentiality and integrity of subsequent systems is low and\nthere is no subsequent system impact to availability. \u003c/p\u003e"
}
],
"value": "CVE-2025-49083 is a vulnerability in the management console\nof Absolute Secure Access after version 12.00 and prior to version 13.56.\nAttackers with administrative access to the console can cause unsafe content to\nbe deserialized and executed in the security context of the console. The attack\ncomplexity is low and there are no attack requirements. Privileges required are\nhigh and there is no user interaction required. The impact to confidentiality\nis low, impact to integrity is high and there is no impact to availability. The\nimpact to the confidentiality and integrity of subsequent systems is low and\nthere is no subsequent system impact to availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T23:30:52.664Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49083"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Data deserialization vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.56",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49083",
"datePublished": "2025-07-30T23:30:52.664Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-07-31T13:37:21.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49081 (GCVE-0-2025-49081)
Vulnerability from cvelistv5 – Published: 2025-06-12 17:25 – Updated: 2025-06-12 17:59
VLAI?
Title
Input validation vulnerability in the Secure Access prior to version 13.55
Summary
There is an insufficient input validation vulnerability in the warehouse
component of Absolute Secure Access prior to server version 13.55. Attackers
with system administrator permissions can impair the availability of the Secure
Access administrative UI by writing invalid data to the warehouse over the
network. The attack complexity is low, there are no attack requirements,
privileges required are high, and there is no user interaction required. There
is no impact on confidentiality or integrity; the impact on availability is
high.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.55
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T17:58:19.597138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:59:46.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Warehouse",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.55",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is an insufficient input validation vulnerability in the warehouse\ncomponent of Absolute Secure Access prior to server version 13.55. Attackers\nwith system administrator permissions can impair the availability of the Secure\nAccess administrative UI by writing invalid data to the warehouse over the\nnetwork. The attack complexity is low, there are no attack requirements,\nprivileges required are high, and there is no user interaction required. There\nis no impact on confidentiality or integrity; the impact on availability is\nhigh.\u003c/p\u003e"
}
],
"value": "There is an insufficient input validation vulnerability in the warehouse\ncomponent of Absolute Secure Access prior to server version 13.55. Attackers\nwith system administrator permissions can impair the availability of the Secure\nAccess administrative UI by writing invalid data to the warehouse over the\nnetwork. The attack complexity is low, there are no attack requirements,\nprivileges required are high, and there is no user interaction required. There\nis no impact on confidentiality or integrity; the impact on availability is\nhigh."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:25:47.812Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49081"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Input validation vulnerability in the Secure Access prior to version 13.55",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49081",
"datePublished": "2025-06-12T17:25:47.812Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-06-12T17:59:46.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49080 (GCVE-0-2025-49080)
Vulnerability from cvelistv5 – Published: 2025-06-12 17:08 – Updated: 2025-06-17 18:17
VLAI?
Title
Memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54
Summary
There is a memory management vulnerability in Absolute
Secure Access server versions 9.0 to 13.54. Attackers with network access to
the server can cause a Denial of Service by sending a specially crafted
sequence of packets to the server. The attack complexity is low, there are no
attack requirements, privileges, or user interaction required. Loss of
availability is high; there is no impact on confidentiality or integrity.
Severity ?
CWE
- CWE-762 - Mismatched Memory Management Routines
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
9.0 , < 13.54
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T17:12:45.895406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-762",
"description": "CWE-762 Mismatched Memory Management Routines",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:17:08.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Secure Access Server",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "9.0",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is a memory management vulnerability in Absolute\nSecure Access server versions 9.0 to 13.54. Attackers with network access to\nthe server can cause a Denial of Service by sending a specially crafted\nsequence of packets to the server. The attack complexity is low, there are no\nattack requirements, privileges, or user interaction required. Loss of\navailability is high; there is no impact on confidentiality or integrity.\u003c/p\u003e"
}
],
"value": "There is a memory management vulnerability in Absolute\nSecure Access server versions 9.0 to 13.54. Attackers with network access to\nthe server can cause a Denial of Service by sending a specially crafted\nsequence of packets to the server. The attack complexity is low, there are no\nattack requirements, privileges, or user interaction required. Loss of\navailability is high; there is no impact on confidentiality or integrity."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T17:08:50.086Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49080"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-49080",
"datePublished": "2025-06-12T17:08:50.086Z",
"dateReserved": "2025-05-30T18:23:44.238Z",
"dateUpdated": "2025-06-17T18:17:08.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27706 (GCVE-0-2025-27706)
Vulnerability from cvelistv5 – Published: 2025-05-28 21:01 – Updated: 2025-05-28 23:55
VLAI?
Title
Cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.54
Summary
CVE-2025-27706 is a cross-site scripting vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second
administrator visits the page. Attack complexity is low, there are no
preexisting attack requirements, privileges required are high and active
user interaction is required. There is no impact on confidentiality,
the impact on integrity is low and there is no impact on availability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:54:24.614310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:55:03.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Management Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator\u2019s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."
}
],
"value": "CVE-2025-27706 is a cross-site scripting vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith system administrator permissions can interfere with another system \nadministrator\u2019s use of the management console when the second \nadministrator visits the page. Attack complexity is low, there are no \npreexisting attack requirements, privileges required are high and active\n user interaction is required. There is no impact on confidentiality, \nthe impact on integrity is low and there is no impact on availability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T21:01:08.548Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27706"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27706",
"datePublished": "2025-05-28T21:01:08.548Z",
"dateReserved": "2025-03-05T23:12:09.705Z",
"dateUpdated": "2025-05-28T23:55:03.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27703 (GCVE-0-2025-27703)
Vulnerability from cvelistv5 – Published: 2025-05-28 20:56 – Updated: 2025-05-28 23:57
VLAI?
Title
Privilege escalation in the management console of Absolute Secure Access prior to version 13.54
Summary
CVE-2025-27703 is a privilege escalation vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with administrative access to a specific subset of privileged features
in the console can elevate their permissions to access additional
features in the console. The attack complexity is low, there are no
preexisting attack requirements; the privileges required are high, and
there is no user interaction required. The impact to system
confidentiality is low, the impact to system integrity is high and the
impact to system availability is low.
Severity ?
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:55:37.117764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:57:51.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Administrative Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low."
}
],
"value": "CVE-2025-27703 is a privilege escalation vulnerability in the management\n console of Absolute Secure Access prior to version 13.54. Attackers \nwith administrative access to a specific subset of privileged features \nin the console can elevate their permissions to access additional \nfeatures in the console. The attack complexity is low, there are no \npreexisting attack requirements; the privileges required are high, and \nthere is no user interaction required. The impact to system \nconfidentiality is low, the impact to system integrity is high and the \nimpact to system availability is low."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:56:53.459Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27703"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Privilege escalation in the management console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27703",
"datePublished": "2025-05-28T20:56:53.459Z",
"dateReserved": "2025-03-05T23:12:09.704Z",
"dateUpdated": "2025-05-28T23:57:51.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27702 (GCVE-0-2025-27702)
Vulnerability from cvelistv5 – Published: 2025-05-28 20:42 – Updated: 2025-05-28 23:54
VLAI?
Title
Permissions bypass in the management console of Absolute Secure Access prior to version 13.54
Summary
CVE-2025-27702 is a vulnerability in the management console of Absolute
Secure Access prior to version 13.54. Attackers with administrative
access to the console and who have been assigned a certain set of
permissions can bypass those permissions to improperly modify settings.
The attack complexity is low, there are no preexisting attack
requirements; the privileges required are high, and there is no user
interaction required. There is no impact to system confidentiality or
availability, impact to system integrity is high.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , < 13.54
(Server Version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T23:49:57.998713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T23:54:02.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Management Console",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "13.54",
"status": "affected",
"version": "0",
"versionType": "Server Version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2025-27702 is a vulnerability in the management console of Absolute \nSecure Access prior to version 13.54. Attackers with administrative \naccess to the console and who have been assigned a certain set of \npermissions can bypass those permissions to improperly modify settings. \nThe attack complexity is low, there are no preexisting attack \nrequirements; the privileges required are high, and there is no user \ninteraction required. There is no impact to system confidentiality or \navailability, impact to system integrity is high."
}
],
"value": "CVE-2025-27702 is a vulnerability in the management console of Absolute \nSecure Access prior to version 13.54. Attackers with administrative \naccess to the console and who have been assigned a certain set of \npermissions can bypass those permissions to improperly modify settings. \nThe attack complexity is low, there are no preexisting attack \nrequirements; the privileges required are high, and there is no user \ninteraction required. There is no impact to system confidentiality or \navailability, impact to system integrity is high."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:42:34.657Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2025-27702"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Permissions bypass in the management console of Absolute Secure Access prior to version 13.54",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27702",
"datePublished": "2025-05-28T20:42:34.657Z",
"dateReserved": "2025-03-05T23:12:09.704Z",
"dateUpdated": "2025-05-28T23:54:02.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6364 (GCVE-0-2024-6364)
Vulnerability from cvelistv5 – Published: 2025-05-13 17:00 – Updated: 2025-05-13 17:37
VLAI?
Title
Server Identity Validation Bypass in Absolute Persistence®
Summary
A vulnerability in Absolute Persistence® versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Absolute Persistence |
Affected:
0 , < 2.8
(Absolute Persistence)
|
Credits
Denis Faiustov, GMO Cybersecurity by Ierae
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T17:37:41.294539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:37:58.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Absolute Persistence",
"vendor": "Absolute Security",
"versions": [
{
"lessThan": "2.8",
"status": "affected",
"version": "0",
"versionType": "Absolute Persistence"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denis Faiustov, GMO Cybersecurity by Ierae"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(248, 248, 248);\"\u003eA vulnerability in Absolute Persistence\u00ae versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below.\u003c/span\u003e"
}
],
"value": "A vulnerability in Absolute Persistence\u00ae versions before 2.8 exists when it is not activated. This may allow a skilled attacker with both physical access to the device, and full hostile network control, to initiate OS commands on the device. To remediate this vulnerability, update the device firmware to the latest available version. Please contact the device manufacturer for upgrade instructions or contact Absolute Security, see reference below."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T17:22:47.858Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/vulnerability-archive/cve-2024-6364"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server Identity Validation Bypass in Absolute Persistence\u00ae",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2024-6364",
"datePublished": "2025-05-13T17:00:07.443Z",
"dateReserved": "2024-06-26T22:42:45.308Z",
"dateUpdated": "2025-05-13T17:37:58.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27705 (GCVE-0-2025-27705)
Vulnerability from cvelistv5 – Published: 2025-03-19 19:15 – Updated: 2025-03-19 20:06
VLAI?
Summary
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.53.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the management console when the second
administrator logs in. Attack complexity is high, attack requirements are
present, privileges required are none, user interaction is required. The impact
to confidentiality is low, the impact to availability is none, and the impact
to system integrity is none.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Absolute Security | Secure Access |
Affected:
0 , ≤ 13.52
(Server version)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T20:06:22.201624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T20:06:42.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Access",
"vendor": "Absolute Security",
"versions": [
{
"lessThanOrEqual": "13.52",
"status": "affected",
"version": "0",
"versionType": "Server version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none.\u003c/p\u003e"
}
],
"value": "There is a cross-site scripting vulnerability in the Secure\nAccess administrative console of Absolute Secure Access prior to version 13.53.\nAttackers with system administrator permissions can interfere with another\nsystem administrator\u2019s use of the management console when the second\nadministrator logs in. Attack complexity is high, attack requirements are\npresent, privileges required are none, user interaction is required. The impact\nto confidentiality is low, the impact to availability is none, and the impact\nto system integrity is none."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:15:08.265Z",
"orgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"shortName": "Absolute"
},
"references": [
{
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1353/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to server version 13.53"
}
],
"value": "Upgrade to server version 13.53"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b6533044-ea05-4482-8458-7bddeca0d079",
"assignerShortName": "Absolute",
"cveId": "CVE-2025-27705",
"datePublished": "2025-03-19T19:15:08.265Z",
"dateReserved": "2025-03-05T23:12:09.705Z",
"dateUpdated": "2025-03-19T20:06:42.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}