VYPR

Vendor CVEs

Lenovo

All CVEs

486 total · sorted by risk
  • CVE-2025-10699MedOct 15, 2025
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was reported in the Lenovo LeCloud client application that, under certain conditions, could allow information disclosure.

  • CVE-2025-1479MedMay 30, 2025
    risk 0.34cvss 5.3epss 0.00

    An open debug interface was reported in the Legion Space software included on certain Legion devices that could allow a local attacker to execute arbitrary code.

  • CVE-2024-27909MedApr 5, 2024
    risk 0.32cvss 4.9epss 0.01

    A denial of service vulnerability was reported in the HTTPS service of some Lenovo Printers that could result in a system reboot.

  • CVE-2016-8226MedJan 26, 2017
    risk 0.32cvss 4.9epss 0.01

    The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.

  • CVE-2024-10254MedJan 14, 2025
    risk 0.31cvss 4.7epss 0.00

    A potential buffer overflow vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash.

  • CVE-2024-10253MedJan 14, 2025
    risk 0.31cvss 4.7epss 0.00

    A potential TOCTOU vulnerability was reported in PC Manager, Lenovo Browser, and Lenovo App Store that could allow a local attacker to cause a system crash.

  • CVE-2018-9081MedSep 28, 2018
    risk 0.31cvss 4.7epss 0.01

    For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible…

  • CVE-2017-3742MedJul 17, 2017
    risk 0.31cvss 4.8epss 0.00

    In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker…

  • CVE-2025-13453MedJan 14, 2026
    risk 0.30cvss 4.6epss 0.00

    A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.

  • CVE-2024-11679MedApr 11, 2025
    risk 0.29cvss 4.4epss 0.00

    An input validation weakness was reported in the TpmSetup module for some legacy System x server products that could allow a local attacker with elevated privileges to read the contents of memory.

  • CVE-2016-8222MedNov 30, 2016
    risk 0.29cvss 4.4epss 0.00

    A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mode (SMM) services. This could lead to a denial of service attack or allow…

  • CVE-2016-8224MedNov 29, 2016
    risk 0.29cvss 4.4epss 0.00

    A vulnerability has been identified in some Lenovo Notebook and ThinkServer systems where an attacker with administrative privileges on a system could install a program that circumvents Intel Management Engine (ME) protections. This could result in a denial of service or…

  • CVE-2026-7516MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents.

  • CVE-2015-7269MedNov 27, 2017
    risk 0.27cvss 4.2epss 0.00

    Seagate ST500LT015 hard disk drives, when operating in eDrive mode on Lenovo ThinkPad W541 laptops with BIOS 2.21, allow physically proximate attackers to bypass self-encrypting drive (SED) protection by attaching a second SATA connector to exposed pins, maintaining an alternate…

  • CVE-2015-7267MedNov 27, 2017
    risk 0.27cvss 4.2epss 0.00

    Samsung 850 Pro and PM851 solid-state drives and Seagate ST500LT015 and ST500LT025 hard disk drives, when in sleep mode and operating in Opal or eDrive mode on Lenovo ThinkPad T440s laptops with BIOS 2.32; ThinkPad W541 laptops with BIOS 2.21; Dell Latitude E6410 laptops with…

  • CVE-2016-1490MedJan 26, 2016
    risk 0.27cvss 4.1epss 0.02

    The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list.

  • CVE-2025-14058LowJan 14, 2026
    risk 0.21cvss 3.2epss 0.00

    A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled.

  • CVE-2017-3741LowJun 4, 2017
    risk 0.21cvss 3.3epss 0.00

    In the Lenovo Power Management driver before 1.67.12.24, a local user may alter the trackpoint's firmware and stop the trackpoint from functioning correctly. This issue only affects ThinkPad X1 Carbon 5th generation.

  • CVE-2025-6026LowOct 15, 2025
    risk 0.20cvss 3.1epss 0.00

    An improper certificate validation vulnerability was reported in the Lenovo Universal Device Client (UDC) that could allow a user capable of intercepting network traffic to obtain application metadata, including device information, geolocation, and telemetry data.

  • CVE-2024-4786LowJul 26, 2024
    risk 0.18cvss 2.8epss 0.00

    An improper validation vulnerability was reported in the Lenovo Tab K10 that could allow a specially crafted application to keep the device on.

  • CVE-2022-3699Oct 24, 2023
    risk 0.10cvss epss 0.04

    A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges.

  • CVE-2012-1195Feb 18, 2012
    risk 0.08cvss epss 0.68

    Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a…

  • CVE-2012-1196Feb 18, 2012
    risk 0.07cvss epss 0.56

    Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request.

  • CVE-2019-6192Dec 10, 2019
    risk 0.03cvss epss 0.02

    A potential vulnerability has been reported in Lenovo Power Management Driver versions prior to 1.67.17.48 leading to a buffer overflow which could cause a denial of service.

  • CVE-2015-2219May 12, 2015
    risk 0.03cvss epss 0.04

    Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe.

  • CVE-2013-1361Jan 21, 2014
    risk 0.01cvss epss 0.06

    Untrusted search path vulnerability in Lenovo Thinkpad Bluetooth with Enhanced Data Rate Software 6.4.0.2900 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the…

  • CVE-2026-2640Mar 11, 2026
    risk 0.00cvss epss 0.00

    During an internal security assessment, a potential vulnerability was discovered in Lenovo PC Manager that could allow a local authenticated user to terminate privileged processes.

  • CVE-2026-1717Mar 11, 2026
    risk 0.00cvss epss 0.00

    An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges.

  • CVE-2026-1716Mar 11, 2026
    risk 0.00cvss epss 0.00

    An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to delete arbitrary registry keys with elevated privileges.

  • CVE-2026-1715Mar 11, 2026
    risk 0.00cvss epss 0.00

    An input validation vulnerability was reported in the DeviceSettingsSystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to modify arbitrary registry keys with elevated privileges.

  • CVE-2026-0940Mar 11, 2026
    risk 0.00cvss epss 0.00

    A potential improper initialization vulnerability was reported in the BIOS of some ThinkPads that could allow a local privileged user to modify data and execute arbitrary code.

  • CVE-2026-2368Mar 11, 2026
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.

  • CVE-2026-1068Mar 11, 2026
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application.

  • CVE-2026-0520Mar 11, 2026
    risk 0.00cvss epss 0.00

    A potential vulnerability was reported in the Lenovo FileZ Android application that, under certain conditions, could allow a local authenticated user to retrieve some sensitive data stored in a log file.

  • CVE-2025-63946Feb 23, 2026
    risk 0.00cvss epss 0.00

    A privilege escalation (PE) vulnerability in the Tencent PC Manager app thru 17.10.28554.205 on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.

  • CVE-2025-8485Nov 12, 2025
    risk 0.00cvss epss 0.00

    An improper permissions vulnerability was reported in Lenovo App Store that could allow a local authenticated user to execute code with elevated privileges during installation of an application.

  • CVE-2025-10581Oct 15, 2025
    risk 0.00cvss epss 0.00

    A potential DLL hijacking vulnerability was discovered in the Lenovo PC Manager during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2025-8486Oct 15, 2025
    risk 0.00cvss epss 0.00

    A potential vulnerability was reported in PC Manager that could allow a local authenticated user to execute code with elevated privileges.

  • CVE-2025-49728Sep 16, 2025
    risk 0.00cvss epss 0.00

    Cleartext storage of sensitive information in Microsoft PC Manager allows an unauthorized attacker to bypass a security feature locally.

  • CVE-2025-53795Aug 21, 2025
    risk 0.00cvss epss 0.01

    Improper authorization in Microsoft PC Manager allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2025-8098Aug 18, 2025
    risk 0.00cvss epss 0.00

    An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges.

  • CVE-2025-6232Jul 17, 2025
    risk 0.00cvss epss 0.00

    An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying specific registry locations.

  • CVE-2025-6231Jul 17, 2025
    risk 0.00cvss epss 0.00

    An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying an application configuration file.

  • CVE-2025-6230Jul 17, 2025
    risk 0.00cvss epss 0.00

    A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute limited SQLite commands.

  • CVE-2025-49738Jul 8, 2025
    risk 0.00cvss epss 0.00

    Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

  • CVE-2025-47993Jul 8, 2025
    risk 0.00cvss epss 0.00

    Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

  • CVE-2025-2503May 30, 2025
    risk 0.00cvss epss 0.00

    An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user.

  • CVE-2025-2502May 30, 2025
    risk 0.00cvss epss 0.00

    An improper default permissions vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges.

  • CVE-2025-2501May 30, 2025
    risk 0.00cvss epss 0.00

    An untrusted search path vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges.

  • CVE-2025-29975May 13, 2025
    risk 0.00cvss epss 0.00

    Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.

Page 4 of 10