Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339475 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47627 | 2025-07-08 | 7.5 High | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LCweb PrivateContent - Mail Actions allows PHP Local File Inclusion. This issue affects PrivateContent - Mail Actions: from n/a through 2.3.2. | ||||
| CVE-2025-24748 | 2025-07-08 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup All In One Slider Responsive allows SQL Injection. This issue affects All In One Slider Responsive: from n/a through 3.7.9. | ||||
| CVE-2025-50032 | 2025-07-08 | 6.5 Medium | ||
| Missing Authorization vulnerability in Paytiko - Payment Orchestration Platform Paytiko for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paytiko for WooCommerce: from n/a through 1.3.14. | ||||
| CVE-2025-28969 | 2025-07-08 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cybio Gallery Widget allows SQL Injection. This issue affects Gallery Widget: from n/a through 1.2.1. | ||||
| CVE-2025-24780 | 2025-07-08 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows SQL Injection. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.4.0. | ||||
| CVE-2025-53604 | 2025-07-08 | 4 Medium | ||
| The web-push crate before 0.10.3 for Rust allows a denial of service (memory consumption) in the built-in clients via a large integer in a Content-Length header. | ||||
| CVE-2025-7108 | 2025-07-08 | 5.4 Medium | ||
| A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the argument fullPath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-53532 | 2025-07-08 | 5.3 Medium | ||
| giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits. | ||||
| CVE-2025-53373 | 2025-07-08 | N/A | ||
| Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b. | ||||
| CVE-2025-24508 | 2025-07-08 | 6.4 Medium | ||
| Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage | ||||
| CVE-2025-53473 | 2025-07-08 | N/A | ||
| Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers. | ||||
| CVE-2025-53543 | 2025-07-08 | 4.2 Medium | ||
| Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0. | ||||
| CVE-2025-3920 | 2025-07-08 | N/A | ||
| A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation directory could extract these credentials, potentially leading to a complete compromise of the application's administrative functions. This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software. | ||||
| CVE-2025-3705 | 2025-07-08 | 6.8 Medium | ||
| A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. | ||||
| CVE-2025-53487 | 2025-07-08 | 5.4 Medium | ||
| The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53486 | 2025-07-08 | 5.4 Medium | ||
| The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-53478 | 2025-07-08 | 5.4 Medium | ||
| The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-3626 | 2025-07-08 | 9.1 Critical | ||
| A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. | ||||
| CVE-2025-48501 | 2025-07-08 | N/A | ||
| An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running. | ||||
| CVE-2025-5333 | 2025-07-08 | N/A | ||
| Remote attackers can execute arbitrary code in the context of the vulnerable service process. | ||||