Total
5175 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9646 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9657 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was detected in O2OA up to 10.0-410. This issue affects some unknown processing of the file /x_program_center/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9659 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9655 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be launched remotely. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-54731 | 2025-08-29 | N/A | 8.1 HIGH | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection. This issue affects YouTube Showcase: from n/a through 3.5.1. | |||||
| CVE-2025-9658 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | |||||
| CVE-2025-9590 | 2025-08-29 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability was identified in Weaver E-Mobile Mobile Management Platform up to 20250813. Affected by this vulnerability is an unknown functionality. The manipulation of the argument gohome leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-30055 | 2025-08-29 | N/A | N/A | ||
| The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter. | |||||
| CVE-2025-2313 | 2025-08-29 | N/A | N/A | ||
| In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter. | |||||
| CVE-2025-48100 | 2025-08-29 | N/A | 9.1 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator allows Remote Code Inclusion. This issue affects bidorbuy Store Integrator: from n/a through 2.12.0. | |||||
| CVE-2025-30057 | 2025-08-29 | N/A | N/A | ||
| In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function. | |||||
| CVE-2025-52122 | 2025-08-29 | N/A | 9.8 CRITICAL | ||
| Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title). | |||||
| CVE-2025-30056 | 2025-08-29 | N/A | N/A | ||
| The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system. | |||||
| CVE-2024-37777 | 2025-08-29 | N/A | 8.8 HIGH | ||
| O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function. | |||||
| CVE-2025-34159 | 2025-08-29 | N/A | N/A | ||
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server. | |||||
| CVE-2025-23312 | 2025-08-29 | N/A | 7.8 HIGH | ||
| NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-23315 | 2025-08-29 | N/A | 7.8 HIGH | ||
| NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-23307 | 2025-08-29 | N/A | 7.8 HIGH | ||
| NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-23313 | 2025-08-29 | N/A | 7.8 HIGH | ||
| NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||||
| CVE-2025-52218 | 2025-08-29 | N/A | 7.5 HIGH | ||
| SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into the login page. | |||||