Lucene search
K
NvdMost viewed

364191 matches found

NVD
NVD
added 2025/05/07 8:15 a.m.43 views

CVE-2025-4171

The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

6.4CVSS0.00203EPSS
Exploits0References2
NVD
NVD
added 2025/05/05 9:15 a.m.43 views

CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

9.1CVSS0.01146EPSS
Exploits0References1
NVD
NVD
added 2025/05/02 10:15 p.m.43 views

CVE-2025-21572

OpenGrok 1.13.25 has a reflected Cross-Site Scripting XSS issue when producing the history view page. This happens through improper handling of path segments. The application reflects unsanitized user input into the HTML output...

6.1CVSS0.00202EPSS
Exploits0References1
NVD
NVD
added 2025/05/02 10:15 a.m.43 views

CVE-2025-0072

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Drive...

7.8CVSS0.00354EPSS
Exploits0References1
NVD
NVD
added 2025/04/30 7:15 p.m.43 views

CVE-2025-46331

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 Helm chart = openfga-0.2.28, docker = v.1.8.10 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Th...

9.8CVSS0.00327EPSS
Exploits0References2
NVD
NVD
added 2025/04/25 3:15 p.m.43 views

CVE-2025-46618

In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab...

6.1CVSS0.2515EPSS
Exploits0References1
NVD
NVD
added 2025/04/24 5:15 p.m.43 views

CVE-2025-31324

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availabili...

10CVSS0.99359EPSS
Exploits18References6
NVD
NVD
added 2025/04/22 3:15 a.m.43 views

CVE-2025-1731

An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting...

7.8CVSS0.0093EPSS
Exploits2References2
NVD
NVD
added 2025/04/17 9:15 p.m.43 views

CVE-2025-29449

An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function...

6.5CVSS0.00338EPSS
Exploits1References1
NVD
NVD
added 2025/04/15 6:15 a.m.43 views

CVE-2024-13207

The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

4.8CVSS0.00239EPSS
Exploits1References1
NVD
NVD
added 2025/04/13 6:15 a.m.43 views

CVE-2025-3532

A vulnerability classified as problematic was found in YouDianCMS 9.5.21. This vulnerability affects unknown code of the file /App/Tpl/Member/Default/Order/index.html.Attackers. The manipulation of the argument OrderNumber leads to cross site scripting. The attack can be initiated remotely. The...

6.1CVSS0.00403EPSS
Exploits1References4
NVD
NVD
added 2025/04/10 3:16 p.m.43 views

CVE-2025-32027

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher...

6.1CVSS0.00215EPSS
Exploits0References2
NVD
NVD
added 2025/03/31 5:15 p.m.43 views

CVE-2025-31116

Mobile Security Framework MobSF is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in validhost uses socket.gethostbyname, which is vulnerable to SSRF abuse using DNS rebinding technique. This...

9.8CVSS0.00446EPSS
Exploits1References2
NVD
NVD
added 2025/03/31 3:15 p.m.43 views

CVE-2025-30095

VyOS 1.3 through 1.5 fixed in 1.4.2 or any Debian-based system using dropbear in combination with live-build has the same Dropbear private host keys across different installations. Thus, an attacker can conduct active man-in-the-middle attacks against SSH connections if Dropbear is enabled as the...

9CVSS0.00483EPSS
Exploits0References5
NVD
NVD
added 2025/03/24 5:15 p.m.43 views

CVE-2025-30208

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

7.5CVSS0.74998EPSS
Exploits28References6
NVD
NVD
added 2025/03/22 5:15 p.m.43 views

CVE-2025-2622

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to...

8.8CVSS0.0065EPSS
Exploits1References5
NVD
NVD
added 2025/03/20 10:15 a.m.43 views

CVE-2024-12886

An Out-Of-Memory OOM vulnerability exists in the ollama server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the ollama server crashing. The vulnerability is present in the makeRequestWithRetry and...

7.5CVSS0.00672EPSS
Exploits2References1
NVD
NVD
added 2025/03/18 3:15 p.m.43 views

CVE-2024-44314

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the indexonUpdateStatus function within Orders.php, which fails to verify if the user has permission to modify an order'...

6.5CVSS0.0027EPSS
Exploits0References2
NVD
NVD
added 2025/03/17 2:15 p.m.43 views

CVE-2021-22126

A use of hard-coded password vulnerability in FortiWLC version 8.5.2 and below, version 8.4.8 and below, version 8.3.3 to 8.3.2, version 8.2.7 to 8.2.6 may allow a local, authenticated attacker to connect to the managed Access Point Meru AP and FortiAP-U as root using the default hard-coded...

6.7CVSS0.00156EPSS
Exploits0References1
NVD
NVD
added 2025/03/12 7:15 p.m.43 views

CVE-2025-0117

A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and...

7.1CVSS0.0015EPSS
Exploits0References1
NVD
NVD
added 2025/03/12 5:15 p.m.43 views

CVE-2025-27017

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials...

6.9CVSS0.01135EPSS
Exploits0References2
NVD
NVD
added 2025/03/11 5:16 p.m.43 views

CVE-2025-24054

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network...

6.5CVSS0.58974EPSS
Exploits20References7
NVD
NVD
added 2025/03/03 5:15 p.m.43 views

CVE-2025-27498

aes-gcm is a pure Rust implementation of the AES-GCM. In decryptinplacedetached, the decrypted ciphertext which is the correct ciphertext is exposed even if the tag is incorrect. This is because in decryptinplace in asconcore.rs, tag verification causes an error to be returned with the plaintext...

5.6CVSS0.00117EPSS
Exploits0References2
NVD
NVD
added 2025/03/03 5:15 a.m.43 views

CVE-2025-1851

A vulnerability, which was classified as critical, was found in Tenda AC7 up to 15.03.06.44. This affects the function formSetFirewallCfg of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. It is possible to initiate the attack...

9CVSS0.01014EPSS
Exploits0References5
NVD
NVD
added 2025/02/24 4:15 a.m.43 views

CVE-2025-1615

A vulnerability classified as problematic was found in FiberHome AN5506-01A ONU GPON RP2511. Affected by this vulnerability is an unknown functionality of the component NAT Submenu. The manipulation of the argument Description leads to cross site scripting. The attack can be launched remotely. Th...

4.8CVSS0.00561EPSS
Exploits0References3
NVD
NVD
added 2025/02/21 10:15 p.m.43 views

CVE-2025-27109

solid-js is a declarative, efficient, and flexible JavaScript library for building user interfaces. In affected versions Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. This issue has...

7.3CVSS0.00303EPSS
Exploits0References2
NVD
NVD
added 2025/02/21 10:15 p.m.43 views

CVE-2019-8900

A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. This vulnerability allows arbitrary code to be executed on the device. Exploiting the vulnerability requires physical access to the...

6.8CVSS0.67089EPSS
Exploits1References1
NVD
NVD
added 2025/02/19 5:15 a.m.43 views

CVE-2025-1441

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wprfilterwooproducts' function. This makes it possible for unauthenticated attacke...

8.8CVSS0.00204EPSS
Exploits0References3
NVD
NVD
added 2025/02/18 9:15 p.m.43 views

CVE-2025-26605

WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A SQL Injection vulnerability was discovered in the WeGIA application, deletarcargo.php endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access...

9.4CVSS0.00456EPSS
Exploits1References1
NVD
NVD
added 2025/02/12 9:15 p.m.43 views

CVE-2025-0110

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the...

8.6CVSS0.01238EPSS
Exploits0References1
NVD
NVD
added 2025/02/12 12:15 p.m.43 views

CVE-2025-1196

A vulnerability, which was classified as problematic, was found in code-projects Real Estate Property Management System 1.0. Affected is an unknown function of the file /search.php. The manipulation of the argument PropertyName leads to cross site scripting. It is possible to launch the attack...

5.4CVSS0.00344EPSS
Exploits1References5
NVD
NVD
added 2025/02/12 9:15 a.m.43 views

CVE-2025-1188

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/admin/updateroutine.php. The manipulation of the argument tid leads to sql injection. The attack may be launched...

9.8CVSS0.00484EPSS
Exploits1References4
NVD
NVD
added 2025/02/07 11:15 p.m.43 views

CVE-2025-24028

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Tex...

9.6CVSS0.00497EPSS
Exploits1References4
NVD
NVD
added 2025/02/04 10:15 p.m.43 views

CVE-2024-53851

Discourse is an open source platform for community discussion. In affected versions the endpoint for generating inline oneboxes for URLs wasn't enforcing limits on the number of URLs that it accepted, allowing a malicious user to inflict denial of service on some parts of the app. This...

6.5CVSS0.00439EPSS
Exploits0References2
NVD
NVD
added 2025/02/04 8:15 p.m.43 views

CVE-2025-24968

reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as penetrationtester or auditor to delete all projects in the system. This can lead to a complete system takeover by redirecting the...

8.8CVSS0.00604EPSS
Exploits1References1
NVD
NVD
added 2025/02/04 8:15 p.m.43 views

CVE-2025-24963

Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...

7.5CVSS0.02317EPSS
Exploits0References4
NVD
NVD
added 2025/02/04 8:15 a.m.43 views

CVE-2025-20891

Out-of-bounds read in decoding malformed bitstream of video thumbnails in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to read arbitrary memory. User interaction is required for triggering this vulnerability...

5.5CVSS0.00139EPSS
Exploits0References1
NVD
NVD
added 2025/02/03 5:15 p.m.43 views

CVE-2024-38412

Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors...

7.8CVSS0.00101EPSS
Exploits0References1
NVD
NVD
added 2025/01/29 10:15 p.m.43 views

CVE-2025-0842

A vulnerability was found in needyamin Library Card System 1.0 and classified as critical. This issue affects some unknown processing of the file admin.php of the component Login. The manipulation of the argument email/password leads to sql injection. The attack may be initiated remotely. The...

9.8CVSS0.00607EPSS
Exploits1References4
NVD
NVD
added 2025/01/29 2:15 a.m.43 views

CVE-2025-0800

A vulnerability classified as problematic has been found in SourceCodester Online Courseware 1.0. Affected is an unknown function of the file /pcci/admin/saveeditt.php of the component Edit Teacher. The manipulation of the argument fname leads to cross site scripting. It is possible to launch the...

5.1CVSS0.00411EPSS
Exploits1References4
NVD
NVD
added 2025/01/27 3:15 p.m.43 views

CVE-2025-24628

Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through = 1.78...

5.3CVSS0.00332EPSS
Exploits0References1
NVD
NVD
added 2025/01/22 6:15 p.m.43 views

CVE-2025-23047

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure for users of Cilium versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4 who...

6.5CVSS0.00481EPSS
Exploits0References2
NVD
NVD
added 2025/01/22 3:15 p.m.43 views

CVE-2025-23942

Unrestricted Upload of File with Dangerous Type vulnerability in ngocuct0912 WP Load Gallery wp-load-gallery allows Upload a Web Shell to a Web Server.This issue affects WP Load Gallery: from n/a through = 2.1.6...

9.1CVSS0.02622EPSS
Exploits1References1
NVD
NVD
added 2025/01/22 8:15 a.m.43 views

CVE-2024-13361

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicgsaveimagemedia function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

8.8CVSS0.00309EPSS
Exploits0References2
NVD
NVD
added 2025/01/14 1:15 a.m.43 views

CVE-2025-23033

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionarsituacao.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts...

6.4CVSS0.00273EPSS
Exploits1References2
NVD
NVD
added 2025/01/08 4:15 p.m.43 views

CVE-2025-22130

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without...

8.8CVSS0.00654EPSS
Exploits0References3
NVD
NVD
added 2025/01/06 11:15 a.m.43 views

CVE-2024-45555

Memory corruption can occur if an already verified IFS2 image is overwritten, bypassing boot verification. This allows unauthorized programs to be injected into security-sensitive images, enabling the booting of a tampered IFS2 system image...

8.4CVSS0.00142EPSS
Exploits0References1
NVD
NVD
added 2025/01/02 12:15 p.m.43 views

CVE-2023-45104

Missing Authorization vulnerability in WPDeveloper BetterLinks betterlinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterLinks: from n/a through = 1.6.0...

8.8CVSS0.00355EPSS
Exploits0References1
NVD
NVD
added 2024/12/29 7:15 a.m.43 views

CVE-2018-25107

The Crypt::Random::Source package before 0.13 for Perl has a fallback to the built-in rand function, which is not a secure source of random bits...

7.5CVSS0.00414EPSS
Exploits0References2
NVD
NVD
added 2024/12/20 9:15 p.m.43 views

CVE-2024-56335

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. In affected versions an attacker is capable of updating or deleting groups from an organization given a few conditions: 1. The attacker has a user account in the server. 2. The attacker's...

7.6CVSS0.00333EPSS
Exploits0References1
Total number of security vulnerabilities5000