CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

3607 matches found

Cvelist•added 2025/12/05 9:32 p.m.•15 views

CVE-2025-14106 ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection

A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safedir leads to command injection. The attack is possible to be carried o...

9CVSS0.01839EPSS

Exploits1References4

Vulnrichment•added 2025/11/26 12:46 a.m.•2 views

CVE-2025-66259 Authenticated Root Remote Code Execution through improper filtering of HTTP post request parameters

Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in mainok.php user supplied data/hour/time is passed directl...

9.3CVSS7.1AI score0.00469EPSS

Exploits1References1

Vulnrichment•added 2025/10/28 2:36 p.m.•4 views

CVE-2025-34306 IPFire < v2.29 Stored XSS via Default IP Search Value

IPFire versions prior to 2.29 Core Update 198 contain a stored cross-site scripting XSS vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the pienumber parameter when updating the default firewall IP search values. When a user updates these defaults,...

5.1CVSS5.6AI score0.00024EPSS

Exploits0References3

Positive Technologies•added 2025/10/28 12:0 a.m.•2 views

PT-2025-44177

Name of the Vulnerable Software and Affected Versions IPFire versions prior to 2.29 Core Update 198 Description IPFire versions prior to 2.29 Core Update 198 are susceptible to a stored cross-site scripting XSS issue. An authenticated attacker can inject arbitrary JavaScript code through the TLS...

5.1CVSS5.9AI score0.00053EPSS

Exploits0References6

Vulnrichment•added 2025/10/16 12:0 a.m.•1 views

CVE-2025-60641

The file mexcel.php in the Vfront 0.99.52 codebase contains a vulnerable call to unserializebase64decode$POST'mexcel', where $POST'mexcel' is user-controlled input. This input is decoded from base64 and deserialized without validation or use of the allowedclasses option, allowing an attacker to...

7.7AI score0.0018EPSS

Exploits0References2

RedhatCVE•added 2025/10/09 12:14 a.m.•2 views

CVE-2025-53967

Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that is used by a fetchWithRetry curl command. The vulnerable endpoint fails to properly sanitize...

8CVSS7.7AI score0.00011EPSS

Exploits0References1

CVE•added 2025/10/08 12:0 a.m.•18 views

CVE-2025-53967

CVE-2025-53967 affects Framelink Figma MCP Server prior to 0.6.3. The vulnerability is a command injection in the MCP server’s input handling, where user-controlled data is interpolated into shell commands (via a curl fallback in fetch-with-retry), enabling an unauthenticated remote attacker to e...

8CVSS7.3AI score0.00011EPSS

Exploits0References3