Total
11506 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10211 | 1 Mitel | 1 Mivoice Connect | 2025-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability in UCB component of Mitel MiVoice Connect before 19.1 SP1 could allow an unauthenticated remote attacker to execute arbitrary scripts due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information. | |||||
| CVE-2025-61920 | 1 Authlib | 1 Authlib | 2025-11-03 | N/A | 7.5 HIGH |
| Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available. Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk. | |||||
| CVE-2022-29499 | 1 Mitel | 1 Mivoice Connect | 2025-11-03 | 10.0 HIGH | 9.8 CRITICAL |
| The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA. | |||||
| CVE-2018-19949 | 1 Qnap | 1 Qts | 2025-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. | |||||
| CVE-2014-5398 | 1 Invensys | 1 Wonderware Information Server | 2025-11-01 | 2.1 LOW | N/A |
| Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2018-7600 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. | |||||
| CVE-2025-27224 | 1 Rocketsoftware | 1 Trufusion Enterprise | 2025-10-31 | N/A | 9.8 CRITICAL |
| TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to write to any filename with any file type at any location on the local server, ultimately allowing execution of arbitrary code. | |||||
| CVE-2021-36742 | 2 Microsoft, Trendmicro | 5 Windows, Apex One, Officescan and 2 more | 2025-10-31 | 4.6 MEDIUM | 7.8 HIGH |
| A improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1 allows a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-58716 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-31 | N/A | 8.8 HIGH |
| Improper input validation in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-11226 | 2025-10-31 | N/A | N/A | ||
| ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. | |||||
| CVE-2022-47966 | 1 Zohocorp | 22 Manageengine Access Manager Plus, Manageengine Ad360, Manageengine Adaudit Plus and 19 more | 2025-10-31 | N/A | 9.8 CRITICAL |
| Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active). | |||||
| CVE-2025-55692 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-10-30 | N/A | 7.8 HIGH |
| Improper input validation in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2018-0197 | 1 Cisco | 2 Ios, Ios Xe | 2025-10-30 | 3.3 LOW | 6.5 MEDIUM |
| A vulnerability in the VLAN Trunking Protocol (VTP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to corrupt the internal VTP database on an affected device and cause a denial of service (DoS) condition. The vulnerability is due to a logic error in how the affected software handles a subset of VTP packets. An attacker could exploit this vulnerability by sending VTP packets in a sequence that triggers a timeout in the VTP message processing code of the affected software. A successful exploit could allow the attacker to impact the ability to create, modify, or delete VLANs and cause a DoS condition. There are workarounds that address this vulnerability. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software, are operating in VTP client mode or VTP server mode, and do not have a VTP domain name configured. The default configuration for Cisco devices that are running Cisco IOS Software or Cisco IOS XE Software and support VTP is to operate in VTP server mode with no domain name configured. | |||||
| CVE-2020-8195 | 1 Citrix | 9 4000-wo, 4100-wo, 5000-wo and 6 more | 2025-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. | |||||
| CVE-2021-21985 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-10-30 | 10.0 HIGH | 9.8 CRITICAL |
| The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. | |||||
| CVE-2024-30110 | 1 Hcltech | 1 Dryice Aex | 2025-10-30 | N/A | 3.7 LOW |
| HCL DRYiCE AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which can cause the system to behave in unexpected ways. | |||||
| CVE-2025-62525 | 1 Openwrt | 1 Openwrt | 2025-10-30 | N/A | 7.9 HIGH |
| OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, local users could read and write arbitrary kernel memory using the ioctls of the ltq-ptm driver which is used to drive the datapath of the DSL line. This only effects the lantiq target supporting xrx200, danube and amazon SoCs from Lantiq/Intel/MaxLinear with the DSL in PTM mode. The DSL driver for the VRX518 is not affected. ATM mode is also not affected. Most VDSL lines use PTM mode and most ADSL lines use ATM mode. OpenWrt is normally running as a single user system, but some services are sandboxed. This vulnerability could allow attackers to escape a ujail sandbox or other contains. This is fixed in OpenWrt 24.10.4. There are no workarounds. | |||||
| CVE-2025-59198 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2025-10-30 | N/A | 5.0 MEDIUM |
| Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | |||||
| CVE-2025-59250 | 1 Microsoft | 1 Jdbc Driver For Sql Server | 2025-10-30 | N/A | 8.1 HIGH |
| Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2021-25489 | 1 Samsung | 1 Android | 2025-10-30 | 4.9 MEDIUM | 3.3 LOW |
| Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic. | |||||