Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 339475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339475 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4377 | 2025-05-12 | N/A | ||
| Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server. This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem. Logview is accessible on Pro Cloud Server Configuration interface. This issue affects Pro Cloud Server: earlier than 6.0.165. | ||||
| CVE-2025-2253 | 2025-05-12 | 9.8 Critical | ||
| The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known. | ||||
| CVE-2025-47736 | 2025-05-12 | 2.9 Low | ||
| dialect/mod.rs in the libsql-sqlite3-parser crate through 0.13.0 before 14f422a for Rust can crash if the input is not valid UTF-8. | ||||
| CVE-2025-31946 | 2025-05-12 | 6.2 Medium | ||
| Pixmeo OsiriX MD is vulnerable to a local use after free scenario, which could allow an attacker to locally import a crafted DICOM file and cause memory corruption or a system crash. | ||||
| CVE-2025-27578 | 2025-05-12 | 7.5 High | ||
| Pixmeo OsiriX MD is vulnerable to a use after free scenario, which could allow an attacker to upload a crafted DICOM file and cause memory corruption leading to a denial-of-service condition. | ||||
| CVE-2024-12378 | 2025-05-12 | 9.1 Critical | ||
| On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear. | ||||
| CVE-2024-11186 | 2025-05-12 | 10 Critical | ||
| On affected versions of the CloudVision Portal, improper access controls could enable a malicious authenticated user to take broader actions on managed EOS devices than intended. This advisory impacts the Arista CloudVision Portal products when run on-premise. It does not impact CloudVision as-a-Service. | ||||
| CVE-2025-46336 | 2025-05-12 | 4.2 Medium | ||
| Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1. | ||||
| CVE-2025-46833 | 2025-05-12 | N/A | ||
| Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may be able to decrypt the data using brute force attacks and because of this the whole application can be impacted. This issue has been patched in commit 6ce60b1. A workaround involves increasing the key size, for RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits. | ||||
| CVE-2025-27720 | 2025-05-12 | 7.4 High | ||
| The Pixmeo Osirix MD Web Portal sends credential information without encryption, which could allow an attacker to steal credentials. | ||||
| CVE-2024-8100 | 2025-05-12 | 8.7 High | ||
| On affected versions of the Arista CloudVision Portal (CVP on-prem), the time-bound device onboarding token can be used to gain admin privileges on CloudVision. | ||||
| CVE-2025-4455 | 2025-05-12 | 7 High | ||
| A vulnerability was found in Patch My PC Home Updater up to 5.1.3.0. It has been rated as critical. This issue affects some unknown processing in the library advapi32.dll/BCrypt.dll/comctl32.dll/crypt32.dll/dwmapi.dll/gdi32.dll/gdiplus.dll/imm32.dll/iphlpapi.dll/kernel32.dll/mscms.dll/msctf.dll/ntdll.dll/ole32.dll/oleaut32.dll/PresentationNative_cor3.dll/secur32.dll/shcore.dll/shell32.dll/sspicli.dll/System.IO. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4375 | 2025-05-12 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. This issue affects Pro Cloud Server: earlier than 6.0.165. | ||||
| CVE-2025-4098 | 2025-05-12 | N/A | ||
| Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to disclose information and execute arbitrary code on affected installations of Cscape. | ||||
| CVE-2025-4534 | 2025-05-12 | 3.7 Low | ||
| A vulnerability, which was classified as problematic, has been found in SunGrow Logger1000 01_A. This issue affects some unknown processing. The manipulation leads to weak password requirements. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4511 | 2025-05-12 | 6.3 Medium | ||
| A vulnerability was found in vector4wang spring-boot-quick up to 20250422. It has been rated as critical. This issue affects the function ResponseEntity of the file /spring-boot-quick-master/quick-img2txt/src/main/java/com/quick/controller/Img2TxtController.java of the component quick-img2txt. The manipulation leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4403 | 2025-05-12 | 9.8 Critical | ||
| The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-4532 | 2025-05-12 | 7 High | ||
| A vulnerability classified as critical has been found in Shanghai Bairui Information Technology SunloginClient 15.8.3.19819. This affects an unknown part in the library process.dll of the file sunlogin_guard.exe. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4206 | 2025-05-12 | 7.2 High | ||
| The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-3794 | 2025-05-12 | 5.4 Medium | ||
| The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the start_timestamp parameter in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||