Total
440 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27735 | 2025-04-09 | N/A | 6.0 MEDIUM | ||
| Insufficient verification of data authenticity in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. | |||||
| CVE-2021-26396 | 1 Amd | 48 Epyc 7003, Epyc 7003 Firmware, Epyc 72f3 and 45 more | 2025-04-09 | N/A | 4.4 MEDIUM |
| Insufficient validation of address mapping to IO in ASP (AMD Secure Processor) may result in a loss of memory integrity in the SNP guest. | |||||
| CVE-2021-26403 | 1 Amd | 82 Epyc 7001, Epyc 7001 Firmware, Epyc 7002 and 79 more | 2025-04-08 | N/A | 6.5 MEDIUM |
| Insufficient checks in SEV may lead to a malicious hypervisor disclosing the launch secret potentially resulting in compromise of VM confidentiality. | |||||
| CVE-2022-46370 | 1 Maxum | 1 Rumpus | 2025-04-08 | N/A | 7.3 HIGH |
| Rumpus - FTP server version 9.0.7.1 Improper Token Verification– vulnerability may allow bypassing identity verification. | |||||
| CVE-2024-1554 | 1 Mozilla | 1 Firefox | 2025-04-02 | N/A | 9.8 CRITICAL |
| The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123. | |||||
| CVE-2023-52546 | 1 Huawei | 2 Emui, Harmonyos | 2025-03-28 | N/A | 7.5 HIGH |
| Vulnerability of package name verification being bypassed in the Calendar app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-20570 | 1 Amd | 94 Alveo U200, Alveo U200 Firmware, Alveo U250 and 91 more | 2025-03-22 | N/A | 3.3 LOW |
| Insufficient verification of data authenticity in the configuration state machine may allow a local attacker to potentially load arbitrary bitstreams. | |||||
| CVE-2025-30144 | 2025-03-19 | N/A | 6.5 MEDIUM | ||
| fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss (issuer) claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like get-jwks that do not independently validate the iss claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the iss array, alongside the legitimate issuer, and bypass the intended security checks. This issue is fixed in 5.0.6. | |||||
| CVE-2025-1945 | 1 Mmaitre314 | 1 Picklescan | 2025-03-19 | N/A | 9.8 CRITICAL |
| picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model. | |||||
| CVE-2025-1944 | 1 Mmaitre314 | 1 Picklescan | 2025-03-19 | N/A | 6.5 MEDIUM |
| picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection. | |||||
| CVE-2023-4699 | 1 Mitsubishielectric | 432 Fx3g-14mr\/ds, Fx3g-14mr\/ds Firmware, Fx3g-14mr\/es and 429 more | 2025-03-17 | N/A | 10.0 CRITICAL |
| Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation MELSEC-F Series CPU modules, MELSEC iQ-F Series, MELSEC iQ-R series CPU modules, MELSEC iQ-R series, MELSEC iQ-L series, MELSEC Q series, MELSEC-L series, Mitsubishi Electric CNC M800V/M80V series, Mitsubishi Electric CNC M800/M80/E80 series and Mitsubishi Electric CNC M700V/M70V/E70 series allows a remote unauthenticated attacker to execute arbitrary commands by sending specific packets to the affected products. This could lead to disclose or tamper with information by reading or writing control programs, or cause a denial-of-service (DoS) condition on the products by resetting the memory contents of the products to factory settings or resetting the products remotely. | |||||
| CVE-2025-2346 | 2025-03-16 | 5.1 MEDIUM | 5.6 MEDIUM | ||
| A vulnerability has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308 and classified as problematic. This vulnerability affects unknown code of the component Domain Handler. The manipulation of the argument Domain Name leads to origin validation error. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. | |||||
| CVE-2024-5458 | 2 Fedoraproject, Php | 2 Fedora, Php | 2025-03-14 | N/A | 5.3 MEDIUM |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. | |||||
| CVE-2024-37370 | 1 Mit | 1 Kerberos 5 | 2025-03-13 | N/A | 7.5 HIGH |
| In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. | |||||
| CVE-2024-33687 | 1 Omron | 110 Nj-pa3001, Nj-pa3001 Firmware, Nj-pd3001 and 107 more | 2025-03-13 | N/A | 7.5 HIGH |
| Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration. | |||||
| CVE-2025-27257 | 2025-03-12 | N/A | 6.1 MEDIUM | ||
| Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware. The firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed. | |||||
| CVE-2025-0149 | 2025-03-11 | N/A | 6.5 MEDIUM | ||
| Insufficient verification of data authenticity in some Zoom Workplace Apps may allow an unprivileged user to conduct a denial of service via network access. | |||||
| CVE-2025-27616 | 2025-03-10 | N/A | 8.5 HIGH | ||
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available. | |||||
| CVE-2024-27773 | 1 Unitronics | 1 Unilogic | 2025-03-10 | N/A | 8.8 HIGH |
| Unitronics Unistream Unilogic – Versions prior to 1.35.227 - CWE-348: Use of Less Trusted Source may allow RCE | |||||
| CVE-2024-55929 | 2025-02-24 | N/A | 5.3 MEDIUM | ||
| A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources. | |||||