Total
308012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5004 | 1 Projectworlds | 1 Online Time Table Generator | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in projectworlds Online Time Table Generator 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/add_course.php. The manipulation of the argument c/subname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5003 | 1 Projectworlds | 1 Online Time Table Generator | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in projectworlds Online Time Table Generator 1.0 and classified as critical. This vulnerability affects unknown code of the file /semester_ajax.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-5008 | 1 Projectworlds | 1 Online Time Table Generator | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in projectworlds Online Time Table Generator 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_teacher.php. The manipulation of the argument e leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2024-0498 | 1 Projectworlds | 1 Online Lawyer Management System | 2025-08-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in Project Worlds Lawyer Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file searchLawyer.php. The manipulation of the argument experience leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250603. | |||||
| CVE-2024-0266 | 1 Projectworlds | 1 Online Lawyer Management System | 2025-08-28 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249822 is the identifier assigned to this vulnerability. | |||||
| CVE-2025-4931 | 1 Projectworlds | 1 Online Lawyer Management System | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in projectworlds Online Lawyer Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /user_registation.php. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4706 | 1 Projectworlds | 1 Online Examination System | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in projectworlds Online Examination System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /Procedure3b_yearwiseVisit.php. The manipulation of the argument Visit_year leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4739 | 1 Projectworlds | 1 Hospital Database Management System | 2025-08-28 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in projectworlds Hospital Database Management System 1.0. It has been classified as critical. This affects an unknown part of the file /medicines_info.php. The manipulation of the argument Med_ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-53269 | 1 Envoyproxy | 1 Envoy | 2025-08-28 | N/A | 4.5 MEDIUM |
| Envoy is a cloud-native high-performance edge/middle/service proxy. When additional address are not ip addresses, then the Happy Eyeballs sorting algorithm will crash in data plane. This issue has been addressed in releases 1.32.2, 1.31.4, and 1.30.8. Users are advised to upgrade. Users unable to upgrade may disable Happy Eyeballs and/or change the IP configuration. | |||||
| CVE-2024-53262 | 1 Svelte | 1 Sveltekit | 2025-08-28 | N/A | 5.4 MEDIUM |
| SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-53261 | 1 Svelte | 1 Sveltekit | 2025-08-28 | N/A | 5.4 MEDIUM |
| SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade. | |||||
| CVE-2024-52510 | 1 Nextcloud | 1 Desktop | 2025-08-28 | N/A | 4.2 MEDIUM |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later. | |||||
| CVE-2025-51970 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2025-08-28 | N/A | 7.7 HIGH |
| A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | |||||
| CVE-2024-6219 | 1 Canonical | 1 Lxd | 2025-08-28 | N/A | 3.8 LOW |
| Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. | |||||
| CVE-2025-9432 | 1 Mtons | 1 Mblog | 2025-08-28 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in mtons mblog up to 3.5.0. The affected element is an unknown function of the file /admin/post/list of the component Admin Panel. Such manipulation of the argument Title leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9431 | 1 Mtons | 1 Mblog | 2025-08-28 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in mtons mblog up to 3.5.0. Impacted is an unknown function of the file /search. This manipulation of the argument kw causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | |||||
| CVE-2022-4536 | 1 Youtag | 1 Two-factor Authentication | 2025-08-28 | N/A | 5.3 MEDIUM |
| The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in. | |||||
| CVE-2025-9430 | 1 Mtons | 1 Mblog | 2025-08-28 | 3.3 LOW | 2.4 LOW |
| A vulnerability was detected in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/options/update. The manipulation of the argument input results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2025-9429 | 1 Mtons | 1 Mblog | 2025-08-28 | 4.0 MEDIUM | 3.5 LOW |
| A security vulnerability has been detected in mtons mblog up to 3.5.0. This vulnerability affects unknown code of the file /post/submit of the component Post Handler. The manipulation of the argument content/title/ leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-8908 | 1 51mis | 1 Lingdang Crm | 2025-08-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. Affected by this issue is some unknown functionality of the file crm/WeiXinApp/yunzhijia/event.php. The manipulation of the argument openid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.6.5 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+." | |||||