Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339475 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57699 | 2 Microsoft, Western Digital | 2 Windows, Kitfox | 2025-08-23 | N/A |
| Western Digital Kitfox for Windows provided by Western Digital Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with the SYSTEM privilege. | ||||
| CVE-2025-57771 | 1 Roocode | 1 Roo-code | 2025-08-23 | 8.1 High |
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5. | ||||
| CVE-2025-53363 | 1 Dpanel Project | 1 Dpanel | 2025-08-23 | N/A |
| dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing. | ||||
| CVE-2025-55627 | 1 Reolink | 1 Smart 2k+ Video Doorbel | 2025-08-23 | 5.3 Medium |
| Insufficient privilege verification in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows authenticated attackers to create accounts with elevated privileges. | ||||
| CVE-2025-55626 | 1 Reolink | 1 Smart 2k+ Video Doorbell | 2025-08-23 | 5.3 Medium |
| An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage. | ||||
| CVE-2025-55629 | 1 Reolink | 1 Smart 2k+ Video Doorbell | 2025-08-23 | 6.5 Medium |
| Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value. | ||||
| CVE-2025-9304 | 2 Oretnom23, Sourcecodester | 2 Online Bank Management System, Online Bank Management System | 2025-08-23 | 7.3 High |
| A weakness has been identified in SourceCodester Online Bank Management System 1.0. Impacted is an unknown function of the file /bank/show.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-9302 | 1 Phpgurukul | 1 User Management System | 2025-08-23 | 7.3 High |
| A vulnerability was identified in PHPGurukul User Management System 1.0. This vulnerability affects unknown code of the file /signup.php. Such manipulation of the argument emailid leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-9305 | 2 Oretnom23, Sourcecodester | 2 Online Bank Management System, Online Bank Management System | 2025-08-23 | 7.3 High |
| A security vulnerability has been detected in SourceCodester Online Bank Management System 1.0. The affected element is an unknown function of the file /bank/mnotice.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-9307 | 1 Phpgurukul | 1 Online Course Registration | 2025-08-23 | 7.3 High |
| A flaw has been found in PHPGurukul Online Course Registration 3.1. This affects an unknown function of the file /admin/session.php. This manipulation of the argument sesssion causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | ||||
| CVE-2025-53251 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a before 7.2. | ||||
| CVE-2025-55742 | 2 Unopim, Webkul | 2 Unopim, Unopim | 2025-08-23 | 8 High |
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, UnoPim contains a stored cross-site scripting vulnerability via SVG MIME/sanitizer bypass in the /admin/settings/users/create endpoint. This vulnerability is fixed in 0.2.1. | ||||
| CVE-2025-55744 | 2 Unopim, Webkul | 2 Unopim, Unopim | 2025-08-23 | 4.3 Medium |
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). This vulnerability is fixed in 0.2.1. | ||||
| CVE-2025-55743 | 2 Unopim, Webkul | 2 Unopim, Unopim | 2025-08-23 | 8.8 High |
| UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1. | ||||
| CVE-2025-57751 | 1 Pyload | 1 Pyload | 2025-08-23 | N/A |
| pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92. | ||||
| CVE-2009-20003 | 2 Microsoft, Xenorate | 2 Windows, Xenorate | 2025-08-23 | N/A |
| Xenorate versions up to and including 2.50, a Windows-based multimedia player, is vulnerable to a stack-based buffer overflow when processing .xpl playlist files. The application fails to properly validate the length of input data, allowing an attacker to craft a malicious .xpl file that overwrites the Structured Exception Handler (SEH) and enables arbitrary code execution. Exploitation requires local interaction, typically by convincing a user to open the crafted file. | ||||
| CVE-2009-20004 | 2 Galan, Microsoft | 2 Galan, Windows | 2025-08-23 | N/A |
| gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file. | ||||
| CVE-2010-20115 | 2 Arcane Software, Microsoft | 2 Vermillion Ftp Daemon, Windows | 2025-08-23 | N/A |
| Arcane Software’s Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service. | ||||
| CVE-2025-57896 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 5.3 Medium |
| Missing Authorization vulnerability in andy_moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Church Admin: from n/a through 5.0.26. | ||||
| CVE-2025-57885 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel Fluent Support allows Cross Site Request Forgery. This issue affects Fluent Support: from n/a through 1.9.1. | ||||