Export limit exceeded: 343015 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343015 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59112 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-59111 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-59110 | 1 Windu | 1 Windu Cms | 2025-12-05 | 6.5 Medium |
| Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | ||||
| CVE-2025-11411 | 1 Nlnetlabs | 1 Unbound | 2025-12-05 | 6.9 Medium |
| NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect. | ||||
| CVE-2025-66544 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66543 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66542 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66541 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66540 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66539 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66538 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66537 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66536 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-9553 | 2 Api Key Manager Project, Drupal | 3 Api Key Manager, Api Key Manager, Drupal | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*. | ||||
| CVE-2025-9554 | 2 Drupal, Owl Carousel 2 Project | 2 Drupal, Owl Carousel 2 | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*. | ||||
| CVE-2025-59048 | 1 Openbao | 2 Aws Plugin, Openbao | 2025-12-05 | 8.1 High |
| OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles. | ||||
| CVE-2025-11564 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2025-12-05 | 5.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'. | ||||
| CVE-2025-6680 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2025-12-05 | 4.3 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information. | ||||
| CVE-2025-11154 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-05 | 5.4 Medium |
| The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-5114 | 1 Easycorp | 1 Zentao | 2025-12-05 | 6.3 Medium |
| A vulnerability has been found in easysoft zentaopms 21.5_20250307 and classified as critical. This vulnerability affects the function Edit of the file /index.php?m=editor&f=edit&filePath=cGhhcjovLy9ldGMvcGFzc3dk&action=edit of the component Committer. The manipulation of the argument filePath leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||