Export limit exceeded: 343482 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343482 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-36525 | 2 Wordpress, Wpjobboard | 2 Wordpress, Wpjobboard | 2025-12-29 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection.This issue affects WPJobBoard: from n/a through 5.9.0. | ||||
| CVE-2023-28619 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 4.3 Medium |
| Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8. | ||||
| CVE-2023-32120 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1. | ||||
| CVE-2023-40679 | 2 Jeweltheme, Wordpress | 2 Master Addons For Elementor, Wordpress | 2025-12-29 | 6.5 Medium |
| Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. | ||||
| CVE-2025-43875 | 1 Johnsoncontrols | 5 Istar Edge G2, Istar Ultra, Istar Ultra G2 and 2 more | 2025-12-29 | N/A |
| Under certain circumstances a successful exploitation could result in access to the device. | ||||
| CVE-2025-43876 | 1 Johnsoncontrols | 5 Istar Edge G2, Istar Ultra, Istar Ultra G2 and 2 more | 2025-12-29 | N/A |
| Under certain circumstances a successful exploitation could result in access to the device. | ||||
| CVE-2019-25233 | 1 Ave | 1 Dominaplus | 2025-12-29 | 5.3 Medium |
| AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. | ||||
| CVE-2025-15098 | 1 Yunaiv | 1 Yudao-cloud | 2025-12-29 | 6.3 Medium |
| A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15117 | 1 Dromara | 1 Sa-token | 2025-12-29 | 3.1 Low |
| A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15156 | 1 Omec-project | 1 Upf | 2025-12-29 | 4.3 Medium |
| A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-13417 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 8.6 High |
| The Plugin Organizer WordPress plugin before 10.2.4 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks. | ||||
| CVE-2025-15149 | 2025-12-29 | 2.4 Low | ||
| A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-61924 | 2 Prestashop, Prestashopcorp | 3 Prestashop, Prestashop Checkout, Checkout | 2025-12-29 | 3.8 Low |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | ||||
| CVE-2025-61922 | 2 Prestashop, Prestashopcorp | 3 Prestashop, Prestashop Checkout, Checkout | 2025-12-29 | 9.1 Critical |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | ||||
| CVE-2025-61923 | 2 Prestashop, Prestashopcorp | 3 Prestashop, Prestashop Checkout, Checkout | 2025-12-29 | 4.1 Medium |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | ||||
| CVE-2025-49131 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | 6.3 Medium |
| FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging. | ||||
| CVE-2025-27600 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | 6.5 Medium |
| FastGPT is a knowledge-based platform built on the LLMs. Since the web crawling plug-in does not perform intranet IP verification, an attacker can initiate an intranet IP request, causing the system to initiate a request through the intranet and potentially obtain some private data on the intranet. This issue is fixed in 4.9.0. | ||||
| CVE-2025-62612 | 2 Fastgpt, Sealos | 2 Fastgpt, Fastgpt | 2025-12-29 | 5.3 Medium |
| FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1. | ||||
| CVE-2025-52552 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | 6.1 Medium |
| FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12. | ||||
| CVE-2025-15129 | 2025-12-29 | 6.3 Medium | ||
| A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | ||||