Export limit exceeded: 342339 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342339 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48945 | 2025-06-23 | 5.5 Medium | ||
| pycares is a Python module which provides an interface to c-ares. c-ares is a C library that performs DNS requests and name resolutions asynchronously. Prior to version 4.9.0, pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism. | ||||
| CVE-2025-25908 | 1 Tianti Project | 1 Tianti | 2025-06-23 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in tianti v2.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the coverImageURL parameter at /article/ajax/save. | ||||
| CVE-2024-55199 | 1 Celk | 1 Celk Saude | 2025-06-23 | 5.4 Medium |
| A Stored Cross Site Scripting (XSS) vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser. | ||||
| CVE-2024-53307 | 1 Evisions | 1 Maps | 2025-06-23 | 5.4 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the /mw/ endpoint of Evisions MAPS v6.10.2.267 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2025-25940 | 1 Visicut | 1 Visicut | 2025-06-23 | 9.8 Critical |
| VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. | ||||
| CVE-2025-28197 | 1 Kidocode | 1 Crawl4ai | 2025-06-23 | 9.1 Critical |
| Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. | ||||
| CVE-2025-3795 | 1 Daicuo | 1 Daicuo | 2025-06-23 | 2.4 Low |
| A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-25382 | 1 Ikm | 1 Sanchaya | 2025-06-23 | 7.5 High |
| An issue in the Property Tax Payment Portal in Information Kerala Mission SANCHAYA v3.0.4 allows attackers to arbitrarily modify payment amounts via a crafted request. | ||||
| CVE-2025-25620 | 1 Changeweb | 1 Unifiedtransform | 2025-06-23 | 5.4 Medium |
| Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function. | ||||
| CVE-2024-53591 | 1 Seclore | 1 Seclore | 2025-06-23 | 9.8 Critical |
| An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack. | ||||
| CVE-2024-42733 | 1 Docmosis | 1 Tornado | 2025-06-23 | 9.8 Critical |
| An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input | ||||
| CVE-2025-30194 | 1 Powerdns | 1 Dnsdist | 2025-06-23 | 7.5 High |
| When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention. | ||||
| CVE-2025-3832 | 1 Jeremyshapiro | 1 Fusedesk | 2025-06-23 | 6.4 Medium |
| The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3893 | 1 Jan Syski | 1 Megabip | 2025-06-23 | N/A |
| While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability. Version 5.20 of MegaBIP fixes this issue. | ||||
| CVE-2025-3894 | 1 Jan Syski | 1 Megabip | 2025-06-23 | N/A |
| Text editor embedded into MegaBIP software does not neutralize user input allowing Stored XSS attacks on other users. In order to use the editor high privileges are required. Version 5.20 of MegaBIP fixes this issue. | ||||
| CVE-2025-3895 | 1 Jan Syski | 1 Megabip | 2025-06-23 | N/A |
| Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. It allows an unauthenticated attacker who know user login names to brute force these tokens and change account passwords (including these belonging to administrators). Version 5.20 of MegaBIP fixes this issue. | ||||
| CVE-2025-3911 | 1 Docker | 1 Docker Desktop | 2025-06-23 | N/A |
| Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain sensitive credentials information and further use it to gain unauthorized access to other systems. Starting with version 4.41.0, Docker Desktop no longer logs environment variables set by the user. | ||||
| CVE-2025-40595 | 1 Sonicwall | 1 Sma1000 | 2025-06-23 | 7.2 High |
| A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location. | ||||
| CVE-2025-40634 | 1 Tp-link | 1 Archer Ax50 | 2025-06-23 | N/A |
| Stack-based buffer overflow vulnerability in the 'conn-indicator' binary running as root on the TP-Link Archer AX50 router, in firmware versions prior to 1.0.15 build 241203 rel61480. This vulnerability allows an attacker to execute arbitrary code on the device over LAN and WAN networks. | ||||
| CVE-2025-40775 | 1 Isc | 1 Bind 9 | 2025-06-23 | 7.5 High |
| When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. | ||||