Total
291487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-54775 | 1 Dcatadmin | 1 Dcat Admin | 2025-04-22 | N/A | 4.8 MEDIUM |
| Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions. | |||||
| CVE-2024-56314 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | |||||
| CVE-2024-56313 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | |||||
| CVE-2024-56312 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | |||||
| CVE-2024-56311 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | N/A | 8.8 HIGH |
| REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | |||||
| CVE-2024-56310 | 1 Vanderbilt | 1 Redcap | 2025-04-22 | N/A | 8.8 HIGH |
| REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | |||||
| CVE-2025-22957 | 1 Zzcms | 1 Zzcms | 2025-04-22 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the front-end of the website in ZZCMS <= 2023, which can be exploited without any authentication. This vulnerability could potentially allow attackers to gain unauthorized access to the database and extract sensitive information. | |||||
| CVE-2024-36694 | 1 Opencart | 1 Opencart | 2025-04-22 | N/A | 7.2 HIGH |
| OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function. | |||||
| CVE-2024-56170 | 1 Nicmx | 1 Fort-validator | 2025-04-22 | N/A | 5.3 MEDIUM |
| A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct, the most recent version of a manifest should be prioritized over other versions, to prevent replays, accidental or otherwise. Manifests contain the manifestNumber and thisUpdate fields, which can be used to gauge the relevance of a given manifest, when compared to other manifests. The former is a serial-like sequential number, and the latter is the date on which the manifest was created. However, the product does not compare the up-to-dateness of the most recently fetched manifest against the cached manifest. As such, it's prone to a rollback to a previous version if it's served a valid outdated manifest. This leads to outdated route origin validation. | |||||
| CVE-2024-57433 | 1 Macrozheng | 1 Mall-tiny | 2025-04-22 | N/A | 7.5 HIGH |
| macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control via the logout function. After a user logs out, their token is still available and fetches information in the logged-in state. | |||||
| CVE-2024-57434 | 1 Macrozheng | 1 Mall-tiny | 2025-04-22 | N/A | 8.8 HIGH |
| macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control. The project imports users by default, and the test user is made a super administrator. | |||||
| CVE-2024-57435 | 1 Macrozheng | 1 Mall-tiny | 2025-04-22 | N/A | 6.5 MEDIUM |
| In macrozheng mall-tiny 1.0.1, an attacker can send null data through the resource creation interface resulting in a null pointer dereference occurring in all subsequent operations that require authentication, which triggers a denial-of-service attack and service restart failure. | |||||
| CVE-2025-29369 | 1 Carmelogarcia | 1 Matrimonial Site | 2025-04-22 | N/A | 9.8 CRITICAL |
| Code-Projects Matrimonial Site V1.0 is vulnerable to SQL Injection in /view_profile.php?id=1. | |||||
| CVE-2025-0948 | 1 Angeljudesuarez | 1 Tailoring Management System | 2025-04-22 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in itsourcecode Tailoring Management System 1.0. This affects an unknown part of the file incview.php. The manipulation of the argument incid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-29316 | 2025-04-22 | N/A | 6.2 MEDIUM | ||
| An issue in DataPatrol Screenshot watermark, printing watermark agent v.3.5.2.0 allows a physically proximate attacker to obtain sensitive information | |||||
| CVE-2025-29209 | 2025-04-22 | N/A | 9.8 CRITICAL | ||
| TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi. | |||||
| CVE-2025-28236 | 2025-04-22 | N/A | 9.8 CRITICAL | ||
| Nautel VX Series transmitters VX SW v6.4.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the firmware update process. This vulnerability allows attackers to execute arbitrary code via supplying a crafted update package to the /#/software/upgrades endpoint. | |||||
| CVE-2025-28235 | 2025-04-22 | N/A | 7.5 HIGH | ||
| An information disclosure vulnerability in the component /socket.io/1/websocket/ of Soundcraft Ui Series Model(s) Ui12 and Ui16 Firmware v1.0.7x and v1.0.5x allows attackers to access Administrator credentials in plaintext. | |||||
| CVE-2025-28233 | 2025-04-22 | N/A | 9.1 CRITICAL | ||
| Incorrect access control in BW Broadcast TX600 (14980), TX300 (32990) (31448), TX150, TX1000, TX30, and TX50 Hardware Version: 2, Software Version: 1.6.0, Control Version: 1.0, AIO Firmware Version: 1.7 allows attackers to access log files and extract session identifiers to execute a session hijacking attack. | |||||
| CVE-2025-28232 | 2025-04-22 | N/A | 9.1 CRITICAL | ||
| Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication. | |||||