Lucene search
K

1754 matches found

CNNVD
CNNVD
added 2026/03/24 12:0 a.m.9 views

Parse Server SQL注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability. This vulnerability arises from the ability of attackers to inject...

8.6CVSS5.9AI score0.00452EPSS
Exploits0References5
CVE
CVE
added 2026/03/23 10:58 p.m.12 views

CVE-2026-33167

CVE-2026-33167 : Action Pack (Rails) contains an XSS vulnerability in the debug exceptions page for Rails 8.1.x branches before 8.1.2.1. When apps have detailed exception pages enabled (config.consider_all_requests_local = true, default in development), crafted exception messages could inject arb...

5.3CVSS5.9AI score0.00401EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/23 9:0 p.m.18 views

CVE-2025-60948 Census CSWeb stored XSS

Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha...

5.1CVSS0.00206EPSS
Exploits0References4
CVE
CVE
added 2026/03/23 9:0 p.m.11 views

CVE-2025-60947

CVE-2025-60947: Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. The issue is fixed in 8.1.0 alpha.

8.8CVSS6.2AI score0.00526EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/03/23 8:59 p.m.6 views

CVE-2025-60946

CVE-2025-60946 affects Census CSWeb. In CSWeb 8.0.1, an arbitrary file path input vulnerability enables path traversal, potentially exposing sensitive directories to a remote, authenticated attacker. Impact is described as high for confidentiality, integrity, and availability in the CVSS metrics....

8.8CVSS5.9AI score0.00488EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/21 12:47 p.m.2 views

CVE-2019-25562 jetAudio 8.1.7 Denial of Service via File Naming Buffer Overflow

jetAudio 8.1.7 contains a buffer overflow vulnerability in the video converter component that allows local attackers to crash the application by supplying an oversized string in the File Naming field. Attackers can paste a malicious buffer of 512 bytes into the File Naming parameter and trigger t...

6.8CVSS6.1AI score0.00199EPSS
Exploits1References3
CVE
CVE
added 2026/03/21 12:47 p.m.8 views

CVE-2019-25562

JetAudio 8.1.7 is affected by a local-denial-of-service via a buffer overflow in the video converter’s File Naming field. A 512-byte malicious buffer pasted into File Naming and triggered by clicking Preview crashes the application. Root cause: buffer overflow in the File Naming parameter. Affect...

6.8CVSS6.1AI score0.00199EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.4 views

PT-2026-26942

Name of the Vulnerable Software and Affected Versions Suricata affected versions not specified Description Security issues have been resolved in the libsuricata8 0 4-8.0.4-1.1 package on openSUSE Tumbleweed. Recommendations At the moment, there is no information about a newer version that contain...

7.5CVSS5.8AI score0.00351EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/03/20 5:2 a.m.2 views

CVE-2026-33025

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS5.9AI score0.00398EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/20 5:2 a.m.6 views

EUVD-2026-13559

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS5.9AI score0.00398EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 5:2 a.m.2 views

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS5.9AI score0.00398EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/20 5:2 a.m.23 views

CVE-2026-33025 AVideo-Encoder is Vulnerable to Authenticated SQL Injection via ORDER BY Clause

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

8.6CVSS0.00398EPSS
Exploits0References2
CVE
CVE
added 2026/03/20 5:2 a.m.10 views

CVE-2026-33025

AVideo versions before 8.0 are affected by a SQL injection in getSqlFromPost() in Object.php, where $_POST['sort'] keys are used directly as ORDER BY identifiers. Although real_escape_string() is applied, it only escapes string-context chars and does not protect SQL identifiers. The issue is fixe...

8.8CVSS5.9AI score0.00398EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/20 4:58 a.m.4 views

CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS5.7AI score0.00438EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/20 4:58 a.m.25 views

CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS0.00438EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/20 4:58 a.m.2 views

CVE-2026-33024

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS5.7AI score0.00438EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.7 views

PT-2026-26561

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS5.8AI score0.00438EPSS
Exploits0References4
NVD
NVD
added 2026/03/19 11:16 p.m.6 views

CVE-2026-29099

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the retrieve function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the...

8.8CVSS0.00259EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/19 11:13 p.m.5 views

CVE-2026-32697 SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, the RecordHandler::getRecord method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord method...

6.5CVSS5.8AI score0.00274EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/19 11:13 p.m.4 views

EUVD-2026-13380

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, the RecordHandler::getRecord method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord method...

6.5CVSS5.8AI score0.00274EPSS
Exploits0References1
Rows per page
Query Builder