Search Results (363331 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-40490 1 Prasathmani 1 Tiny File Manager 2025-12-31 4.8 Medium
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
CVE-2022-40916 1 Prasathmani 1 Tiny File Manager 2025-12-31 9.8 Critical
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVE-2022-45475 1 Prasathmani 1 Tiny File Manager 2025-12-31 6.5 Medium
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control.
CVE-2022-45476 1 Prasathmani 1 Tiny File Manager 2025-12-31 9.8 Critical
Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload.
CVE-2025-46268 1 Advantech 2 Webaccess/scada, Webaccess\/scada 2025-12-31 6.3 Medium
Advantech WebAccess/SCADA  is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.
CVE-2025-15138 1 Prasathmani 1 Tiny File Manager 2025-12-31 4.7 Medium
A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-63948 2 Craigtaub, Phpmsadmin 2 Phpmsadmin, Phpmsadmin 2025-12-31 5.4 Medium
A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation.
CVE-2025-63949 1 Yohanawi 1 Hotel Management System 2025-12-31 6.1 Medium
A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php.
CVE-2025-63950 1 Tomaszdunia 1 Twittodon 2025-12-31 7.5 High
An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service.
CVE-2025-63951 2 Miczflor, Sourcefabric 2 Rpi-jukebox-rfid, Phoniebox 2025-12-31 7.5 High
An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service.
CVE-2025-67653 1 Advantech 2 Webaccess/scada, Webaccess\/scada 2025-12-31 4.3 Medium
Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.
CVE-2025-15106 2 Getmaxun, Maxun 2 Maxun, Maxun 2025-12-31 6.3 Medium
A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-15105 2 Getmaxun, Maxun 2 Maxun, Maxun 2025-12-31 3.7 Low
A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-15092 1 Utt 2 512w, 512w Firmware 2025-12-31 8.8 High
A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVE-2025-15091 1 Utt 2 512w, 512w Firmware 2025-12-31 8.8 High
A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-15090 1 Utt 2 512w, 512w Firmware 2025-12-31 8.8 High
A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
CVE-2025-13767 1 Mattermost 2 Mattermost, Mattermost Server 2025-12-31 4.3 Medium
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.
CVE-2025-15089 1 Utt 2 512w, 512w Firmware 2025-12-31 8.8 High
A vulnerability has been found in UTT 进取 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-64641 1 Mattermost 2 Mattermost, Mattermost Server 2025-12-31 4.1 Medium
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts
CVE-2024-35322 1 Airc 1 Mynet 2025-12-31 6.1 Medium
MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter.