Export limit exceeded: 339825 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339825 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11705 | 2 Anti-malware Security And Brute-force Firewall Project, Wordpress | 2 Anti-malware Security And Brute-force Firewall, Wordpress | 2025-10-30 | 6.5 Medium |
| The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-11735 | 2 Realmag777, Wordpress | 2 Husky, Wordpress | 2025-10-30 | 7.5 High |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-12310 | 1 Virtfusion | 1 Virtfusion | 2025-10-30 | 5.3 Medium |
| A security vulnerability has been detected in VirtFusion up to 6.0.2. This vulnerability affects unknown code of the file /account/_settings of the component Email Change Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12341 | 1 Ermig1979 | 1 Antidupl | 2025-10-30 | 7.8 High |
| A vulnerability was detected in ermig1979 AntiDupl up to 2.3.12. Impacted is an unknown function of the file AntiDupl.NET.WinForms.exe of the component Delete Duplicate Image Handler. The manipulation results in link following. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12342 | 1 Serdar Bayram | 1 Ghost Hot Spot | 2025-10-30 | 7.3 High |
| A flaw has been found in Serdar Bayram Ghost Hot Spot up to 20251014. The affected element is an unknown function of the file /Auth.php of the component Login. This manipulation causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12344 | 1 Yonyou | 2 U8+, Yonyou | 2025-10-30 | 6.3 Medium |
| A vulnerability has been found in Yonyou U8 Cloud up to 5.1sp. The impacted element is an unknown function of the file /service/NCloudGatewayServlet of the component Request Header Handler. Such manipulation of the argument ts/sign leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27093 | 1 Bishopfox | 1 Sliver | 2025-10-30 | 6.3 Medium |
| Sliver is a command and control framework that uses a custom Wireguard netstack. In versions 1.5.43 and earlier, and in development version 1.6.0-dev, the netstack does not limit traffic between Wireguard clients. This allows clients to communicate with each other unrestrictedly, potentially enabling leaked or recovered keypairs to be used to attack operators or allowing port forwardings to be accessible from other implants. | ||||
| CVE-2025-34318 | 1 Ipfire | 1 Ipfire | 2025-10-30 | N/A |
| IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD parameters when adding a new DNS entry. When a user adds a DNS entry, the application issues an HTTP POST request to /cgi-bin/dns.cgi and these values are provided in the corresponding parameters. The values are stored and later rendered in the web interface without proper sanitation or encoding, allowing injected scripts to execute in the context of other users who view the affected DNS configuration. | ||||
| CVE-2025-41090 | 1 Ccn-cert | 1 Microclaudia | 2025-10-30 | N/A |
| microCLAUDIA in v3.2.0 and prior has an improper access control vulnerability. This flaw allows an authenticated user to perform unauthorized actions on other organizations' systems by sending direct API requests. To do so, the attacker can use organization identifiers obtained through a compromised endpoint or deduced manually. This vulnerability allows access between tenants, enabling an attacker to list and manage remote assets, uninstall agents, and even delete vaccines configurations. | ||||
| CVE-2025-4665 | 2 Arshid, Wordpress | 2 Wordpress Contact Form Cfdb7, Wordpress | 2025-10-30 | 9.6 Critical |
| WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully. | ||||
| CVE-2025-55758 | 2 Jdownloads, Joomla | 3 Jdownloads, Joomla, Joomla! | 2025-10-30 | 5.4 Medium |
| Multiple CSRF attack vectors in JDownloads component 1.0.0-4.0.47 for Joomla were discovered. | ||||
| CVE-2025-56399 | 2 Alexusmai, Laravel | 2 Laravel-file-manager, Laravel | 2025-10-30 | 8.8 High |
| alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code. | ||||
| CVE-2025-60349 | 1 Prevx | 1 Prevx | 2025-10-30 | 7.5 High |
| An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files will be terminated. | ||||
| CVE-2025-60354 | 1 Shimh-develop | 1 Blog-vue-springboot | 2025-10-30 | 7.5 High |
| Unauthorized modification of arbitrary articles vulnerability exists in blog-vue-springboot. | ||||
| CVE-2025-60805 | 1 Bessystem | 1 Application Server | 2025-10-30 | 7.5 High |
| An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml. | ||||
| CVE-2025-60858 | 1 Reolink | 1 Video Doorbell | 2025-10-30 | 7.5 High |
| Reolink Video Doorbell Wi-Fi DB_566128M5MP_W stores and transmits DDNS credentials in plaintext within its configuration and update scripts, allowing attackers to intercept or extract sensitive information. | ||||
| CVE-2025-61043 | 1 Monkeysaudio | 1 Monkeys Audio | 2025-10-30 | 9.1 Critical |
| An out-of-bounds read vulnerability has been discovered in Monkey's Audio 11.31, specifically in the CAPECharacterHelper::GetUTF16FromUTF8 function. The issue arises from improper handling of the length of the input UTF-8 string, causing the function to read past the memory boundary. This vulnerability may result in a crash or expose sensitive data. | ||||
| CVE-2025-61080 | 1 Clear2pay | 1 Bank Visibility Application | 2025-10-30 | 5.4 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Clear2Pay Bank Visibility Application - Payment Execution 1.10.0.104 via the ID parameter in the URL. | ||||
| CVE-2025-61128 | 1 Wavlink | 3 M30hg3 V240730, Quantum D3g, Wl-wn530hg3 | 2025-10-30 | 9.1 Critical |
| Stack-based buffer overflow vulnerability in WAVLINK QUANTUM D3G/WL-WN530HG3 firmware M30HG3_V240730, and possibly other wavlink models allows attackers to execute arbitrary code via crafted referrer value POST to login.cgi. | ||||
| CVE-2025-61235 | 1 Paytef | 1 Dataphone A920 | 2025-10-30 | 9.1 Critical |
| An issue was discovered in Dataphone A920 v2025.07.161103. A custom packet based on public documentation can be crafted, where some fields can contain arbitrary or trivial data. Normally, such data should cause the device to reject the packet. However, due to a lack of validation, the device accepts it with no authetication and triggers the functionality instead. | ||||