Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339475 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-41655 | 2025-05-28 | 7.5 High | ||
| An unauthenticated remote attacker can access a URL which causes the device to reboot. | ||||
| CVE-2025-1985 | 2025-05-28 | 6.1 Medium | ||
| Due to improper neutralization of input during web page generation (XSS) an unauthenticated remote attacker can inject HTML code into the Web-UI in the affected device. | ||||
| CVE-2025-5117 | 2025-05-28 | 8.8 High | ||
| The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form. | ||||
| CVE-2025-48383 | 2025-05-28 | 8.2 High | ||
| Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1. | ||||
| CVE-2025-40911 | 2025-05-28 | 6.5 Medium | ||
| Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154. | ||||
| CVE-2025-23393 | 2025-05-28 | 5.2 Medium | ||
| A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3. | ||||
| CVE-2025-4800 | 2025-05-28 | 8.8 High | ||
| The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. | ||||
| CVE-2025-41653 | 2025-05-28 | 7.5 High | ||
| An unauthenticated remote attacker can exploit a denial-of-service vulnerability in the device's web server functionality by sending a specially crafted HTTP request with a malicious header, potentially causing the server to crash or become unresponsive. | ||||
| CVE-2025-46805 | 2025-05-28 | 5.5 Medium | ||
| Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root. | ||||
| CVE-2025-40652 | 2025-05-28 | N/A | ||
| Stored Cross-Site Scripting (XSS) vulnerability in the CoverManager booking software. This allows an attacker to inject malicious scripts into the application, which are permanently stored on the server. The malicious scripts are executed in the browser of any user visiting the affected page without the user having to take any further action. This can allow the attacker to steal sensitive information, such as session cookies, login credentials, and perform actions on behalf of the affected user. | ||||
| CVE-2025-23394 | 2025-05-28 | 9.8 Critical | ||
| A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1. | ||||
| CVE-2025-41650 | 2025-05-28 | 7.5 High | ||
| An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service. | ||||
| CVE-2025-41649 | 2025-05-28 | 7.5 High | ||
| An unauthenticated remote attacker can exploit insufficient input validation to write data beyond the bounds of a buffer, potentially leading to a denial-of-service condition for the devices. | ||||
| CVE-2025-2236 | 2025-05-28 | N/A | ||
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in OpenText Advanced Authentication allows Information Elicitation. The vulnerability could reveal sensitive information while managing and configuring of the external services. This issue affects Advanced Authentication versions before 6.5. | ||||
| CVE-2025-40653 | 2025-05-28 | N/A | ||
| User enumeration vulnerability in M3M Printer Server Web. This issue occurs during user authentication, where a difference in error messages could allow an attacker to determine whether a username is valid or not, allowing a brute force attack on valid usernames. | ||||
| CVE-2025-41651 | 2025-05-28 | 9.8 Critical | ||
| Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise. | ||||
| CVE-2025-4134 | 2025-05-28 | 7.3 High | ||
| Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an unverified file write. | ||||
| CVE-2025-5082 | 2025-05-28 | 6.1 Medium | ||
| The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-48735 | 2025-05-28 | 4.3 Medium | ||
| A SQL Injection issue in the request body processing in BOS IPCs with firmware 21.45.8.2.2_220219 before 21.45.8.2.3_230220 allows remote attackers to obtain sensitive information from the database via crafted input in the request body. | ||||
| CVE-2023-34873 | 2025-05-28 | N/A | ||
| On MOBOTIX P3 cameras before MX-V4.7.2.18 and Mx6 cameras before MX-V5.2.0.61, the tcpdump feature does not properly validate input, which allows authenticated users to execute code. | ||||