Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5878 | 2025-11-03 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks. | |||||
| CVE-2025-5283 | 1 Google | 1 Chrome | 2025-11-03 | N/A | 5.4 MEDIUM |
| Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-5269 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.1 HIGH |
| Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11. | |||||
| CVE-2025-5268 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 8.1 HIGH |
| Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5267 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 5.4 MEDIUM |
| A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5266 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 4.3 MEDIUM |
| Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5264 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 4.8 MEDIUM |
| Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5263 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 4.3 MEDIUM |
| Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2025-5054 | 1 Canonical | 2 Apport, Ubuntu Linux | 2025-11-03 | N/A | 4.7 MEDIUM |
| Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1). | |||||
| CVE-2025-54798 | 1 Raszi | 1 Tmp | 2025-11-03 | N/A | 2.5 LOW |
| tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. | |||||
| CVE-2025-54769 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 8.8 HIGH |
| An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker. | |||||
| CVE-2025-54768 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 5.3 MEDIUM |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information. | |||||
| CVE-2025-54767 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | N/A | 6.5 MEDIUM |
| An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user. | |||||
| CVE-2025-54766 | 1 Xorux | 1 Xormon | 2025-11-03 | N/A | 5.3 MEDIUM |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information. | |||||
| CVE-2025-54765 | 1 Xorux | 1 Xormon | 2025-11-03 | N/A | 5.3 MEDIUM |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions. | |||||
| CVE-2025-54500 | 1 F5 | 26 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 23 more | 2025-11-03 | N/A | 5.3 MEDIUM |
| An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2025-53084 | 1 Wwbn | 1 Avideo | 2025-11-03 | N/A | 9.0 CRITICAL |
| A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | |||||
| CVE-2025-52936 | 2025-11-03 | N/A | N/A | ||
| Improper Link Resolution Before File Access ('Link Following') vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2. | |||||
| CVE-2025-52497 | 1 Arm | 1 Mbed Tls | 2025-11-03 | N/A | 4.8 MEDIUM |
| Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input. | |||||
| CVE-2025-52496 | 1 Arm | 1 Mbed Tls | 2025-11-03 | N/A | 7.8 HIGH |
| Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery. | |||||