Export limit exceeded: 339825 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339825 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62365 | 1 Librenms | 1 Librenms | 2025-10-20 | 6.1 Medium |
| LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to 25.7.0, there is a reflected-XSS in `report_this` function in `librenms/includes/functions.php`. The `report_this` function had improper filtering (`htmlentities` function was incorrectly use in a href environment), which caused the `project_issues` parameter to trigger an XSS vulnerability. This vulnerability is fixed in 25.7.0. | ||||
| CVE-2025-47784 | 1 Emlog | 1 Emlog | 2025-10-20 | 9.8 Critical |
| Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causing deserialization to fail and return `false`. Commit 9643250802188b791419e3c2188577073256a8a2 fixes the issue. | ||||
| CVE-2025-57325 | 1 Rollbar | 1 Rollbar | 2025-10-20 | 7.5 High |
| rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57327 | 1 Spmjs | 1 Spmrc | 2025-10-20 | 7.5 High |
| spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57328 | 1 Jonschlinkert | 1 Toggle-array | 2025-10-20 | 7.5 High |
| toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-61930 | 1 Emlog | 1 Emlog | 2025-10-20 | 8.1 High |
| Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist. | ||||
| CVE-2025-57329 | 1 Web3js | 1 Web3-core-method | 2025-10-20 | 7.5 High |
| web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-21067 | 1 Samsung | 2 Mobile Devices, Notes | 2025-10-20 | 4 Medium |
| Out-of-bounds read in the allocation of image buffer in Samsung Notes prior to version 4.4.30.63 allows local attackers to access out-of-bounds memory. | ||||
| CVE-2025-62292 | 1 Sonarsource | 1 Sonarqube | 2025-10-20 | 4.3 Medium |
| In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts. | ||||
| CVE-2025-61871 | 2 Buffalo, Microsoft | 2 Navigator2, Windows | 2025-10-20 | N/A |
| NAS Navigator2 Windows version by BUFFALO INC. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. | ||||
| CVE-2025-21070 | 1 Samsung | 2 Mobile Devices, Notes | 2025-10-20 | 4 Medium |
| Out-of-bounds write in the SPI decoder in Samsung Notes prior to version 4.4.30.63 allows local attackers to write out-of-bounds memory. | ||||
| CVE-2025-21068 | 1 Samsung | 2 Mobile Devices, Notes | 2025-10-20 | 4 Medium |
| Out-of-bounds read in the reading of image data in Samsung Notes prior to version 4.4.30.63 allows local attackers to access out-of-bounds memory. | ||||
| CVE-2025-21069 | 1 Samsung | 2 Mobile Devices, Notes | 2025-10-20 | 4 Medium |
| Out-of-bounds read in the parsing of image data in Samsung Notes prior to version 4.4.30.63 allows local attackers to access out-of-bounds memory. | ||||
| CVE-2025-21066 | 1 Samsung | 2 Mobile Devices, Notes | 2025-10-20 | 4 Medium |
| Out-of-bounds read in the SPI decoder in Samsung Notes prior to version 4.4.30.63 allows local attackers to access out-of-bounds memory. | ||||
| CVE-2025-60306 | 1 Code-projects | 1 Simple Car Rental System | 2025-10-20 | 9.9 Critical |
| code-projects Simple Car Rental System 1.0 has a permission bypass issue where low privilege users can forge high privilege sessions and perform sensitive operations. | ||||
| CVE-2025-60308 | 2 Code-projects, Fabian | 2 Simple Online Hotel Reservation System, Simple Online Hotel Reservation System | 2025-10-20 | 4.1 Medium |
| code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing this room information | ||||
| CVE-2025-60269 | 2 Huayi-tec, Jeewms | 2 Jeewms, Jeewms | 2025-10-20 | 9.4 Critical |
| JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file. | ||||
| CVE-2025-60268 | 2 Huayi-tec, Jeewms | 2 Jeewms, Jeewms | 2025-10-20 | 6.5 Medium |
| An arbitrary file upload vulnerability exists in JeeWMS 20250820, which is caused by the lack of file checking in the saveFiles function in /jeewms/cgUploadController.do. An attacker with normal privileges was able to upload a malicious file that would lead to remote code execution. | ||||
| CVE-2025-62159 | 1 External-secrets | 1 External-secrets | 2025-10-20 | N/A |
| External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`. | ||||
| CVE-2025-61927 | 1 Capricorn86 | 1 Happy-dom | 2025-10-20 | 8.3 High |
| Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default. | ||||