Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339475 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-36380 | 1 Sunhillo | 1 Sureline | 2025-11-05 | 9.8 Critical |
| Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi. | ||||
| CVE-2021-35464 | 1 Forgerock | 2 Access Management, Openam | 2025-11-05 | 9.8 Critical |
| ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier | ||||
| CVE-2024-39891 | 1 Twilio | 3 Authy, Authy 2-factor Authentication, Authy Authenticator | 2025-11-05 | 5.3 Medium |
| In the Twilio Authy API, accessed by Authy Android before 25.1.0 and Authy iOS before 26.1.0, an unauthenticated endpoint provided access to certain phone-number data, as exploited in the wild in June 2024. Specifically, the endpoint accepted a stream of requests containing phone numbers, and responded with information about whether each phone number was registered with Authy. (Authy accounts were not compromised, however.) | ||||
| CVE-2024-41710 | 1 Mitel | 31 6863i Sip, 6863i Sip Firmware, 6865i Sip and 28 more | 2025-11-05 | 6.8 Medium |
| A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system. | ||||
| CVE-2024-48248 | 1 Nakivo | 1 Backup \& Replication Director | 2025-11-05 | 8.6 High |
| NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). | ||||
| CVE-2024-50603 | 1 Aviatrix | 1 Controller | 2025-11-05 | 10 Critical |
| An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test. | ||||
| CVE-2025-63563 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-11-05 | 6.5 Medium |
| Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 does not properly invalidate active user sessions after a password change. This allows an attacker with a valid session token to maintain access to the account even after the legitimate user changes their password. | ||||
| CVE-2025-12614 | 2 Mayurik, Sourcecodester | 2 Best House Rental Management System, Best House Rental Management System | 2025-11-05 | 4.7 Medium |
| A weakness has been identified in SourceCodester Best House Rental Management System 1.0. Impacted is the function delete_payment of the file /admin_class.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-50735 | 1 Nextchat | 1 Nextchat | 2025-11-05 | 7.5 High |
| Directory traversal vulnerability in NextChat thru 2.16.0 due to the WebDAV proxy failing to canonicalize or reject dot path segments in its catch-all route, allowing attackers to gain sensitive information via authenticated or anonymous WebDAV endpoints. | ||||
| CVE-2025-36172 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-11-05 | 6.4 Medium |
| IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 001, 24.0.1 through 24.0.1 Interim Fix 004, 24.0.0 through 24.0.0 Interim Fix 006, and earlier unsupported releases IBM Business Automation Workflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2025-57353 | 1 Nodejs | 2 Messageformat, Nodejs | 2025-11-05 | 5.3 Medium |
| The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle. | ||||
| CVE-2025-27041 | 1 Qualcomm | 127 Ar8035, Ar8035 Firmware, Fastconnect 6900 and 124 more | 2025-11-05 | 5.5 Medium |
| Transient DOS while processing video packets received from video firmware. | ||||
| CVE-2025-27045 | 1 Qualcomm | 37 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 34 more | 2025-11-05 | 6.1 Medium |
| Information disclosure while processing batch command execution in Video driver. | ||||
| CVE-2025-27049 | 1 Qualcomm | 63 Fastconnect 6700, Fastconnect 6700 Firmware, Fastconnect 6900 and 60 more | 2025-11-05 | 5.5 Medium |
| Transient DOS while processing IOCTL call for image encoding. | ||||
| CVE-2025-45663 | 1 Netsurf-browser | 1 Netsurf | 2025-11-05 | 6.5 Medium |
| An issue in NetSurf v3.11 causes the application to read uninitialized heap memory when creating a dom_event structure. | ||||
| CVE-2024-51317 | 1 Netsurf-browser | 1 Netsurf | 2025-11-05 | 6.5 Medium |
| An issue in NetSurf v.3.11 allows a remote attacker to execute arbitrary code via the dom_node_normalize function | ||||
| CVE-2025-29699 | 1 Netsurf-browser | 1 Netsurf | 2025-11-05 | 6.5 Medium |
| NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_content function. | ||||
| CVE-2025-63442 | 1 Nababur | 1 Simple-user-management-system | 2025-11-05 | 4.6 Medium |
| Simple User Management System with PHP-MySQL v1.0 is vulnerable to Cross-Site Scripting (XSS) via the Profile Section. The system fails to properly sanitize user input, allowing attackers to inject and execute arbitrary JavaScript when the input is displayed in the browser | ||||
| CVE-2025-50363 | 1 Phpgurukul | 1 Maid Hiring Management System | 2025-11-05 | 5.4 Medium |
| Phpgurukul Maid Hiring Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in /maid-hiring.php va the name field. | ||||
| CVE-2024-50623 | 1 Cleo | 4 Harmomy, Harmony, Lexicom and 1 more | 2025-11-05 | 9.8 Critical |
| In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. | ||||