Export limit exceeded: 13816 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342065 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5277 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-06-18 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in SourceCodester Engineers Online Portal 1.0. This issue affects some unknown processing of the file student_avatar.php. The manipulation of the argument change leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240905 was assigned to this vulnerability. | ||||
| CVE-2023-43655 | 4 Debian, Docker, Fedoraproject and 1 more | 4 Debian Linux, Composer, Fedora and 1 more | 2025-06-18 | 6.4 Medium |
| Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice. | ||||
| CVE-2023-5294 | 1 Shopex | 1 Ecshop | 2025-06-18 | 4.7 Medium |
| A vulnerability has been found in ECshop 4.1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/order.php. The manipulation of the argument goods_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240925 was assigned to this vulnerability. | ||||
| CVE-2025-28132 | 1 Nagios | 1 Nagios Network Analyzer | 2025-06-18 | 4.6 Medium |
| A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf. | ||||
| CVE-2023-5324 | 1 Eero | 1 Eeroos | 2025-06-18 | 4.3 Medium |
| A vulnerability has been found in eeroOS up to 6.16.4-11 and classified as critical. This vulnerability affects unknown code of the component Ethernet Interface. The manipulation leads to denial of service. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241024. | ||||
| CVE-2024-37917 | 1 Pexip | 1 Pexip Infinity | 2025-06-18 | 7.5 High |
| Pexip Infinity before 35.0 has improper input validation that allows remote attackers to trigger a denial of service (software abort) via a crafted signalling message. | ||||
| CVE-2025-30080 | 1 Pexip | 1 Pexip Infinity | 2025-06-18 | 7.5 High |
| Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort). | ||||
| CVE-2025-51381 | 2025-06-18 | N/A | ||
| An authentication bypass vulnerability exists in KCM3100 Ver1.4.2 and earlier. If this vulnerability is exploited, an attacker may bypass the authentication of the product from within the LAN to which the product is connected. | ||||
| CVE-2025-32412 | 2025-06-18 | 7.8 High | ||
| Fuji Electric Smart Editor is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code. | ||||
| CVE-2025-6086 | 2025-06-18 | 7.2 High | ||
| The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-5237 | 2025-06-18 | 6.4 Medium | ||
| The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-49825 | 2025-06-18 | 9.8 Critical | ||
| Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch. | ||||
| CVE-2025-29720 | 1 Langgenius | 1 Dify | 2025-06-18 | 4.8 Medium |
| Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. | ||||
| CVE-2025-2830 | 2 Mozilla, Redhat | 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more | 2025-06-18 | 6.3 Medium |
| By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | ||||
| CVE-2025-3522 | 2 Mozilla, Redhat | 6 Thunderbird, Enterprise Linux, Rhel Aus and 3 more | 2025-06-18 | 6.3 Medium |
| Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | ||||
| CVE-2025-3739 | 1 Drupal 8 Google Optimize Hide Page Project | 1 Drupal 8 Google Optimize Hide Page | 2025-06-18 | 5.9 Medium |
| Vulnerability in Drupal Drupal 8 Google Optimize Hide Page.This issue affects Drupal 8 Google Optimize Hide Page: *.*. | ||||
| CVE-2025-32789 | 1 Espocrm | 1 Espocrm | 2025-06-18 | 3.1 Low |
| EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed. This issue is patched in version 9.0.7. | ||||
| CVE-2024-41200 | 1 Pandora | 1 Kmplayer | 2025-06-18 | 5.5 Medium |
| A segmentation fault in KMPlayer v4.2.2.65 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | ||||
| CVE-2025-38046 | 2025-06-18 | 5.5 Medium | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-38026 | 2025-06-18 | 4.4 Medium | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||