Search

Search Results (363654 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-10319 1 Jeecg 2 Jeecg Boot, Jeecgboot 2025-12-31 4.3 Medium
A security flaw has been discovered in JeecgBoot up to 3.8.2. Affected by this issue is some unknown functionality of the file /sys/tenant/exportLog of the component Tenant Log Export. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-10318 1 Jeecg 2 Jeecg Boot, Jeecgboot 2025-12-31 6.3 Medium
A vulnerability was identified in JeecgBoot up to 3.8.2. Affected by this vulnerability is an unknown functionality of the file /api/system/sendWebSocketMsg of the component WebSocket Message Handler. The manipulation of the argument userIds leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-4362 1 Admerc 1 Gym Management System 2025-12-31 7.3 High
A vulnerability classified as critical was found in itsourcecode Gym Management System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_membership. The manipulation of the argument member_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-14706 2 Sgwbox, Shiguangwu 3 N3, N3 Firmware, Sgwbox N3 2025-12-31 9.8 Critical
A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-56130 1 Ruijie 4 Rg-nbs5100-24gt4sfp, Rg-nbs5100-24gt4sfp Firmware, Rg-s1930 and 1 more 2025-12-31 8.8 High
OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua.
CVE-2024-22770 1 Hitron 2 Hvr-16781, Hvr-16781 Firmware 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-22768 1 Hitron 2 Hvr-4781, Hvr-4781 Firmware 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-22772 2 Hitron, Hitronsystems 3 Lguvr-8h, Lguvr-8h Firmware, Dvr Lguvr-8h 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-22769 1 Hitron 2 Hvr-8781, Hvr-8781 Firmware 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-22771 2 Hitron, Hitronsystems 3 Lguvr-4h, Lguvr-4h Firmware, Dvr Lguvr-4h Firmware 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-23842 1 Hitron 2 Lguvr-16h, Lguvr-16h Firmware 2025-12-31 7.4 High
Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW.
CVE-2024-33453 1 Espressif 1 Esp-idf 2025-12-31 8.1 High
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.
CVE-2024-33454 1 Espressif 1 Esp-idf 2025-12-31 6.5 Medium
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the Bluetooth stack component.
CVE-2024-48809 2 Onosproject, Opennetworking 3 Sdran-in-a-box, Onos-a1t, Sdran-in-a-box 2025-12-31 7.5 High
An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service via the onos-a1t component of the sdran-in-a-box, specifically the DeleteWatcher function.
CVE-2024-48246 1 Janobe 1 Vehicle Management System 2025-12-31 5.4 Medium
Vehicle Management System 1.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the "Name" parameter of /vehicle-management/booking.php.
CVE-2025-14284 1 Tiptap 2 Tiptap, Tiptap\/extension-link 2025-12-31 6.1 Medium
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
CVE-2024-53866 1 Pnpm 1 Pnpm 2025-12-31 9.8 Critical
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it). Here, that expectation is broken. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Version 9.15.0 fixes the issue. As a work-around, use separate cache and store dirs in each workspace.
CVE-2025-64052 1 Fanvil 3 X210, X210 Firmware, X210 V2 2025-12-31 5.1 Medium
An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands.
CVE-2024-30146 1 Hcltech 1 Domino Leap 2025-12-31 4.1 Medium
Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem.
CVE-2025-25298 1 Strapi 1 Strapi 2025-12-31 5.3 Medium
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over‑length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist.