Lucene search
K
NvdMost viewed

363836 matches found

NVD
NVD
added 2025/09/26 1:15 a.m.45 views

CVE-2025-60251

Unitree Go2, G1, H1, and B2 devices through 2025-09-20 accept any handshake secret with the unitree substring...

5CVSS0.00182EPSS
Exploits0References3
NVD
NVD
added 2025/09/23 4:15 p.m.45 views

CVE-2025-57407

A stored cross-site scripting XSS vulnerability in the Admin Log Viewer of S-Cart =10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which...

5.4CVSS0.00201EPSS
Exploits0References2
NVD
NVD
added 2025/09/17 8:15 p.m.45 views

CVE-2025-59349

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path...

5.1CVSS0.00106EPSS
Exploits0References2
NVD
NVD
added 2025/09/11 12:15 p.m.45 views

CVE-2025-40695

Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'remark', 'status' and 'takeaction' parameters via POST at the endpoint '/ofrs/admin/request-details.php'. This...

5.4CVSS0.00193EPSS
Exploits0References1
NVD
NVD
added 2025/08/11 7:15 p.m.45 views

CVE-2025-44004

Mattermost Confluence Plugin version 1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint...

7.2CVSS0.00189EPSS
Exploits0References1
NVD
NVD
added 2025/08/08 7:15 p.m.45 views

CVE-2025-4796

The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the...

8.8CVSS0.00526EPSS
Exploits3References3
NVD
NVD
added 2025/08/07 1:15 a.m.45 views

CVE-2025-54799

Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library and the lego cli as well don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME...

6CVSS0.00199EPSS
Exploits0References2
NVD
NVD
added 2025/08/01 6:15 p.m.45 views

CVE-2025-54590

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

6.9CVSS0.006EPSS
Exploits0References3
NVD
NVD
added 2025/08/01 6:15 a.m.45 views

CVE-2025-8454

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts a collection of scripts to make the life of a Debian Package maintainer easier, skips OpenPGP verification if the upstream source is already downloaded from a previous run even...

9.8CVSS0.00235EPSS
Exploits0References1
NVD
NVD
added 2025/07/31 6:15 p.m.45 views

CVE-2025-51383

D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the ipsecroadasp function via the hostip parameter...

3.5CVSS0.00361EPSS
Exploits1References2
NVD
NVD
added 2025/07/15 12:15 a.m.45 views

CVE-2025-53889

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

6.5CVSS0.00395EPSS
Exploits0References3
NVD
NVD
added 2025/06/28 8:15 p.m.45 views

CVE-2025-6824

A vulnerability classified as critical has been found in TOTOLINK X15 up to 1.0.0-B20230714.1105. Affected is an unknown function of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible ...

9CVSS0.00785EPSS
Exploits1References6
NVD
NVD
added 2025/06/16 9:15 p.m.45 views

CVE-2025-6139

A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network...

3.9CVSS0.00331EPSS
Exploits1References5
NVD
NVD
added 2025/06/05 12:15 a.m.45 views

CVE-2025-5622

A vulnerability was found in D-Link DIR-816 1.10CNB05 and classified as critical. Affected by this issue is the function wirelessApcli5g of the file /goform/wirelessApcli5g. The manipulation of the argument apclimode5g/apclienc5g/apclidefaultkey5g leads to stack-based buffer overflow. The attack...

10CVSS0.02009EPSS
Exploits1References5
NVD
NVD
added 2025/06/02 4:15 p.m.45 views

CVE-2025-48941

MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden draft, unapproved, or soft-deleted threads containing specified text in the title. The visibility state...

5.3CVSS0.00284EPSS
Exploits0References3
NVD
NVD
added 2025/05/27 3:15 p.m.45 views

CVE-2025-5247

A vulnerability, which was classified as critical, has been found in Gowabby HFish 0.1. This issue affects the function LoadUrl of the file \view\url.go. The manipulation of the argument r leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to th...

7.5CVSS0.0043EPSS
Exploits0References4
NVD
NVD
added 2025/05/27 9:15 a.m.45 views

CVE-2025-41651

Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise...

9.8CVSS0.00512EPSS
Exploits0References1
NVD
NVD
added 2025/05/23 1:15 p.m.45 views

CVE-2025-48283

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Majestic Support Majestic Support majestic-support allows SQL Injection.This issue affects Majestic Support: from n/a through = 1.1.0...

9.3CVSS0.00301EPSS
Exploits0References1
NVD
NVD
added 2025/05/22 11:15 p.m.45 views

CVE-2025-48371

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...

8.8CVSS0.00408EPSS
Exploits0References2
NVD
NVD
added 2025/05/08 5:16 p.m.45 views

CVE-2025-44021

OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling if a deployment was performed via the API. A malicious project assigned as a node owner can provide a path to any local file readable by ironic-conductor, which may then be written to the target...

2.8CVSS0.00149EPSS
Exploits0References3
NVD
NVD
added 2025/05/07 4:15 p.m.45 views

CVE-2025-46827

Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with...

8CVSS0.00229EPSS
Exploits0References1
NVD
NVD
added 2025/05/04 11:15 p.m.45 views

CVE-2025-4252

A vulnerability was found in PCMan FTP Server 2.0.7. It has been classified as critical. Affected is an unknown function of the component APPEND Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public a...

9.8CVSS0.00612EPSS
Exploits1References4
NVD
NVD
added 2025/05/03 9:15 p.m.45 views

CVE-2025-47241

In browser-use aka Browser Use before 0.1.45, URL parsing of alloweddomains is mishandled because userinfo can be placed in the authority component...

4CVSS0.00445EPSS
Exploits0References3
NVD
NVD
added 2025/05/02 4:15 a.m.45 views

CVE-2025-1326

The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homeyreservationdel function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete...

4.3CVSS0.002EPSS
Exploits0References2
NVD
NVD
added 2025/04/30 5:15 p.m.45 views

CVE-2025-3599

Symantec Endpoint Protection Windows Agent, running an ERASER Engine prior to 119.1.7.8, may be susceptible to an Elevation of Privilege vulnerability, which may allow an attacker to delete resources that are normally protected from an application or user...

7.5CVSS0.00233EPSS
Exploits0References1
NVD
NVD
added 2025/04/29 7:15 a.m.45 views

CVE-2025-2893

The Gutenverse – Ultimate Block Addons and Page Builder for Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's countdown Block in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00231EPSS
Exploits0References4
NVD
NVD
added 2025/04/26 6:15 a.m.45 views

CVE-2025-3914

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropagemediadownloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access a...

8.8CVSS0.11399EPSS
Exploits1References5
NVD
NVD
added 2025/04/20 4:15 a.m.45 views

CVE-2025-3821

A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file add-admin.php. The manipulation of the argument txtpassword/txtfullname/txtemail leads to cross site scripting. Th...

5.4CVSS0.00294EPSS
Exploits1References5
NVD
NVD
added 2025/04/15 9:16 p.m.45 views

CVE-2025-30740

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Web Runtime SEC. Supported versions that are affected are 9.2.0.0-9.2.9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOn...

6.5CVSS0.0032EPSS
Exploits0References1
NVD
NVD
added 2025/04/15 9:16 p.m.45 views

CVE-2025-30727

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite component: iSurvey Module. Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful...

9.8CVSS0.00487EPSS
Exploits0References1
NVD
NVD
added 2025/04/15 9:15 p.m.45 views

CVE-2025-30698

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle...

5.6CVSS0.00549EPSS
Exploits0References3
NVD
NVD
added 2025/04/11 5:15 p.m.45 views

CVE-2025-32077

Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Extension:SimpleCalendar allows Cross-Site Scripting XSS.This issue affects Mediawiki - Extension:SimpleCalendar: from 1.39 through 1.43...

6.9CVSS0.00349EPSS
Exploits0References2
NVD
NVD
added 2025/04/09 8:15 p.m.45 views

CVE-2025-21591

A Buffer Access with Incorrect Length Value vulnerability in the jdhcpd daemon of Juniper Networks Junos OS, when DHCP snooping is enabled, allows an unauthenticated, adjacent, attacker to send a DHCP packet with a malformed DHCP option to cause jdhcp to crash creating a Denial of Service DoS...

7.4CVSS0.00301EPSS
Exploits0References1
NVD
NVD
added 2025/03/23 9:15 p.m.45 views

CVE-2025-2664

A vulnerability was found in CodeZips Hospital Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /suadpeted.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been...

7.2CVSS0.00462EPSS
Exploits1References4
NVD
NVD
added 2025/02/07 2:15 p.m.45 views

CVE-2025-1108

Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting malicious content into...

8.6CVSS0.00203EPSS
Exploits0References1
NVD
NVD
added 2025/01/28 8:15 a.m.45 views

CVE-2025-0321

The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-leve...

6.4CVSS0.00253EPSS
Exploits0References3
NVD
NVD
added 2025/01/24 4:15 p.m.45 views

CVE-2024-25034

IBM Planning Analytics 2.0 and 2.1 could be vulnerable to malicious file upload by not validating the type of file in the File Manager T1 process. Attackers can make use of this weakness and upload malicious executable files into the system that can be sent to victims for performing further attac...

8.8CVSS0.00377EPSS
Exploits0References1
NVD
NVD
added 2025/01/11 1:15 p.m.45 views

CVE-2024-53689

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

Exploits0
NVD
NVD
added 2025/01/09 9:15 p.m.45 views

CVE-2024-13297

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X- before 7.X-1.15...

6.6CVSS0.00392EPSS
Exploits0References1
NVD
NVD
added 2024/12/31 11:15 p.m.45 views

CVE-2024-56063

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Stored XSS.This issue affects Essential Addons for Elementor: from n/a through = 6.0.7...

6.5CVSS0.00243EPSS
Exploits0References1
NVD
NVD
added 2024/12/24 5:15 p.m.45 views

CVE-2024-12745

A SQL injection in the Amazon Redshift Python Connector v2.1.4 allows a user to gain escalated privileges via the getschemas, gettables, or getcolumns Metadata APIs. Users are recommended to upgrade to the driver version 2.1.5 or revert to driver version 2.1.3...

8.6CVSS0.0052EPSS
Exploits0References3
NVD
NVD
added 2024/12/19 7:15 p.m.45 views

CVE-2024-55196

Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers...

7.5CVSS0.00358EPSS
Exploits0References1
NVD
NVD
added 2024/12/06 10:15 p.m.45 views

CVE-2024-44853

Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble was discovered to contain a NULL pointer dereference via the component computeControl...

7.5CVSS0.00566EPSS
Exploits1References3
NVD
NVD
added 2024/12/03 7:15 a.m.45 views

CVE-2024-9058

The Element Pack Elementor Addons Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Lightbox widget in all versions up to, and including, 5.10.5 due to insufficient input sanitization and output...

6.4CVSS0.00236EPSS
Exploits0References2
NVD
NVD
added 2024/12/02 8:15 p.m.45 views

CVE-2024-53900

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection...

9.1CVSS0.03988EPSS
Exploits3References5
NVD
NVD
added 2024/12/02 4:15 a.m.45 views

CVE-2024-20129

In Telephony, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09289881; Issue ID: MSV-2025...

7.5CVSS0.00298EPSS
Exploits0References1
NVD
NVD
added 2024/11/29 7:15 p.m.45 views

CVE-2024-53864

Ibexa Admin UI Bundle is all the necessary parts to run the Ibexa DXP Back Office interface. The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, an...

5.3CVSS0.00511EPSS
Exploits0References4
NVD
NVD
added 2024/11/21 11:15 a.m.45 views

CVE-2024-30896

InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated and...

9.1CVSS0.05165EPSS
Exploits3References3
NVD
NVD
added 2024/11/19 5:15 p.m.45 views

CVE-2024-50552

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in jasonpancake Hover Video Preview hover-video-preview allows Stored XSS.This issue affects Hover Video Preview: from n/a through = 1.0.2...

6.5CVSS0.00341EPSS
Exploits0References1
NVD
NVD
added 2024/11/19 11:15 a.m.45 views

CVE-2024-11036

The The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipressgetuserearnings AJAX action in all versions up to, and including, 7.1.5. This is due to the software allowing...

9.8CVSS0.00712EPSS
Exploits0References5
Total number of security vulnerabilities5000