Total
9259 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2377 | 1 Ecava | 1 Integraxor | 2025-10-13 | 5.0 MEDIUM | N/A |
| Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag. | |||||
| CVE-2014-2374 | 1 Accuenergy | 2 Acuvim Ii, Axm-net | 2025-10-13 | 7.5 HIGH | N/A |
| The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript. | |||||
| CVE-2014-0786 | 1 Ecava | 1 Integraxor | 2025-10-13 | 7.5 HIGH | N/A |
| Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role. | |||||
| CVE-2025-49177 | 2025-10-13 | N/A | 6.1 MEDIUM | ||
| A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests. | |||||
| CVE-2025-57437 | 1 Blackmagicdesign | 2 Web Presenter Hd, Web Presenter Hd Firmware | 2025-10-10 | N/A | 9.8 CRITICAL |
| The Blackmagic Web Presenter HD firmware version 3.3 exposes sensitive information via an unauthenticated Telnet service on port 9977. When connected, the service reveals extensive device configuration data including: - Model, version, and unique identifiers - Network settings including IP, MAC, DNS - Current stream platform, stream key, and streaming URL - Audio/video configuration This data can be used to hijack live streams or perform network reconnaissance. | |||||
| CVE-2024-8072 | 1 Mage | 1 Mage-ai | 2025-10-10 | N/A | 5.3 MEDIUM |
| Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users | |||||
| CVE-2024-4596 | 1 Kimai | 1 Kimai | 2025-10-10 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-28247 | 1 Pi-hole | 1 Pi-hole | 2025-10-10 | N/A | 7.6 HIGH |
| The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin with "file*" depending on the state of the response it does one thing or another. The problem resides in the update through local files. When updating from a file which contains non-domain lines, 5 of the non-domain lines are printed on the screen, so if you provide it with any file on the server which contains non-domain lines it will print them on the screen. This vulnerability is fixed by 5.18. | |||||
| CVE-2025-2860 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 5.3 MEDIUM |
| SaTECH BCU in its firmware version 2.1.3, allows an authenticated attacker to access information about the credentials that users have within the web (.xml file). In order to exploit this vulnerability, the attacker must know the path, regardless of the user's privileges on the website. | |||||
| CVE-2025-31955 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | N/A | 7.6 HIGH |
| HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system. | |||||
| CVE-2025-51040 | 1 Electrolink | 4 Fm\/dab\/tv Transmitter Web Management System, Medium 1kw, Medium 2kw and 1 more | 2025-10-09 | N/A | 7.5 HIGH |
| Electrolink FM/DAB/TV Transmitter Web Management System Unauthorized access vulnerability via the /FrameSetCore.html endpoint in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2. | |||||
| CVE-2025-34220 | 1 Vasion | 2 Virtual Appliance Application, Virtual Appliance Host | 2025-10-09 | N/A | 5.3 MEDIUM |
| Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contains a /api-gateway/identity/search-groups endpoint that does not require authentication. Requests to https://<tenant>.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group ID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced. | |||||
| CVE-2025-11443 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 2.6 LOW | 3.7 LOW |
| A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken. | |||||
| CVE-2025-61906 | 1 Apereo | 1 Opencast | 2025-10-09 | N/A | 4.3 MEDIUM |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media not meant for publishing, and thus possibly exposing internal media. This risk of this actually impacting someone is very low, though. This can only be triggered by users with write access to an event. They also have to use the editor, which is usually an action taken if they want to publish media and not something users would use on internal media they do not want to publish. Finally, they have to first click on "Save & Publish" before then selecting the "Save" option. Nevertheless, while very unlikely, this can happen. This issue is fixed in Opencast 17.8 and 18.2. | |||||
| CVE-2025-11026 | 1 Vvveb | 1 Vvveb | 2025-10-08 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | |||||
| CVE-2025-61777 | 2025-10-08 | N/A | 9.4 CRITICAL | ||
| Flag Forge is a Capture The Flag (CTF) platform. Starting in version 2.0.0 and prior to version 2.3.2, the `/api/admin/badge-templates` (GET) and `/api/admin/badge-templates/create` (POST) endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized users to retrieve all badge templates and sensitive metadata (createdBy, createdAt, updatedAt) and/or create arbitrary badge templates in the database. This could lead to data exposure, database pollution, or abuse of the badge system. The issue has been fixed in FlagForge v2.3.2. GET, POST, UPDATE, and DELETE endpoints now require authentication. Authorization checks ensure only admins can access and modify badge templates. No reliable workarounds are available. | |||||
| CVE-2025-11406 | 2025-10-08 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangqian-system/src/main/java/com/kaifangqian/modules/system/controller/SysUserController.java. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2025-48464 | 2025-10-08 | N/A | 4.7 MEDIUM | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim’s Sync account data such as account credentials and email protection information. | |||||
| CVE-2025-5098 | 1 Dynamixsoftware | 1 Printershare | 2025-10-08 | N/A | 9.1 CRITICAL |
| PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization. | |||||
| CVE-2025-59833 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 7.5 HIGH |
| Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0. | |||||