Total
319 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-56524 | 1 Radware | 1 Cloud Waf | 2025-07-01 | N/A | 9.1 CRITICAL |
| Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request. | |||||
| CVE-2024-47224 | 1 Mitel | 1 Micollab | 2025-06-24 | N/A | 6.5 MEDIUM |
| A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a CRLF injection attack due to inadequate encoding of user input in URLs. A successful exploit could allow an attacker to perform a phishing attack. | |||||
| CVE-2024-0233 | 1 Myeventon | 1 Eventon | 2025-06-20 | N/A | 6.1 MEDIUM |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-6005 | 1 Myeventon | 1 Eventon | 2025-06-20 | N/A | 4.8 MEDIUM |
| The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-1874 | 2 Fedoraproject, Php | 2 Fedora, Php | 2025-06-18 | N/A | 9.4 CRITICAL |
| In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | |||||
| CVE-2024-34510 | 1 Gradio Project | 1 Gradio | 2025-06-17 | N/A | 7.5 HIGH |
| Gradio before 4.20 allows credential leakage on Windows. | |||||
| CVE-2025-49013 | 2025-06-12 | N/A | 9.9 CRITICAL | ||
| WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows. | |||||
| CVE-2023-52102 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-11 | N/A | 7.5 HIGH |
| Vulnerability of parameters being not verified in the WMS module. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-52098 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-11 | N/A | 7.5 HIGH |
| Denial of Service (DoS) vulnerability in the DMS module. Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2025-5271 | 1 Mozilla | 1 Firefox | 2025-06-11 | N/A | 6.5 MEDIUM |
| Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139. | |||||
| CVE-2021-25254 | 1 Yandex | 1 Yandex Browser | 2025-06-10 | N/A | 5.3 MEDIUM |
| Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar. | |||||
| CVE-2021-25262 | 2 Google, Yandex | 2 Android, Yandex Browser | 2025-06-10 | N/A | 5.4 MEDIUM |
| Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack. | |||||
| CVE-2024-56277 | 1 Ays-pro | 1 Poll Maker | 2025-06-09 | N/A | 5.3 MEDIUM |
| Improper Encoding or Escaping of Output vulnerability in Poll Maker Team Poll Maker. This issue affects Poll Maker: from n/a through n/a. | |||||
| CVE-2024-4420 | 1 Google | 1 Tink C\+\+ | 2025-06-05 | N/A | 7.5 HIGH |
| There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow. We recommend upgrading to version 2.1.3 or above | |||||
| CVE-2025-3942 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2025-06-04 | N/A | 4.3 MEDIUM |
| Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | |||||
| CVE-2025-25029 | 1 Ibm | 1 Security Guardium | 2025-06-04 | N/A | 4.9 MEDIUM |
| IBM Security Guardium 12.0 could allow a privileged user to download any file on the system due to improper escaping of input. | |||||
| CVE-2024-45498 | 1 Apache | 1 Airflow | 2025-06-03 | N/A | 8.8 HIGH |
| Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later. | |||||
| CVE-2022-41322 | 2 Fedoraproject, Kitty Project | 2 Fedora, Kitty | 2025-06-01 | N/A | 7.8 HIGH |
| In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup. | |||||
| CVE-2025-47280 | 1 Umbraco | 1 Umbraco Forms | 2025-05-22 | N/A | 6.1 MEDIUM |
| Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability. | |||||
| CVE-2025-1308 | 2025-05-21 | N/A | N/A | ||
| A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions. | |||||