Export limit exceeded: 363677 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363677 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-0890 1 Zyxel 28 Sbg3300-n000, Sbg3300-n000 Firmware, Sbg3300-nb00 and 25 more 2025-12-15 9.8 Critical
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
CVE-2025-0377 1 Hashicorp 1 Go-slug 2025-12-15 7.5 High
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
CVE-2025-0502 4 Apple, Craftercms, Linux and 1 more 4 Macos, Craftercms, Linux Kernel and 1 more 2025-12-15 9.1 Critical
Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.
CVE-2024-56705 2 Debian, Linux 2 Debian Linux, Linux Kernel 2025-12-15 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: media: atomisp: Add check for rgby_data memory allocation failure In ia_css_3a_statistics_allocate(), there is no check on the allocation result of the rgby_data memory. If rgby_data is not successfully allocated, it may trigger the assert(host_stats->rgby_data) assertion in ia_css_s3a_hmem_decode(). Adding a check to fix this potential issue.
CVE-2025-59803 3 Apple, Foxit, Microsoft 4 Macos, Pdf Editor, Pdf Reader and 1 more 2025-12-15 5.3 Medium
Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers. An attacker can embed triggers (e.g., JavaScript) in a PDF document that execute during the signing process. When a signer reviews the document, the content appears normal. However, once the signature is applied, the triggers modify content on other pages or optional content layers without explicit warning. This can cause the signed PDF to differ from what the signer saw, undermining the trustworthiness of the digital signature. The fixed versions are 2025.2.1, 14.0.1, and 13.2.1.
CVE-2025-65287 2 Cdpenergy, Voltronicpower 3 Snmp Web Pro, Snmp Web Pro Firmware, Snmp Web Pro 2025-12-15 7.5 High
An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path (/var/www/files/userScript/) using memcpy + strcat without validation or canonicalization, enabling ../ sequences to escape the intended directory. The download branch also echoes the unsanitized params into Content-Disposition, introducing header-injection risk.
CVE-2025-4967 1 Esri 1 Portal For Arcgis 2025-12-15 9.1 Critical
Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.
CVE-2025-43738 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-15 5.4 Medium
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter.
CVE-2025-67740 1 Jetbrains 1 Teamcity 2025-12-15 2.7 Low
In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata
CVE-2025-43737 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-15 5.4 Medium
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter.
CVE-2025-67741 1 Jetbrains 1 Teamcity 2025-12-15 4.8 Medium
In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute
CVE-2025-67742 1 Jetbrains 1 Teamcity 2025-12-15 3.8 Low
In JetBrains TeamCity before 2025.11 path traversal was possible via file upload
CVE-2025-43745 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-15 6.5 Medium
A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.
CVE-2025-43743 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-15 4.3 Medium
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users.
CVE-2025-43744 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-15 5.4 Medium
A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding.
CVE-2024-43187 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2025-12-15 5.9 Medium
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CVE-2024-45657 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2025-12-15 5 Medium
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.
CVE-2024-45659 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2025-12-15 5.3 Medium
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
CVE-2024-40700 1 Ibm 2 Security Verify Access, Security Verify Access Docker 2025-12-15 6.1 Medium
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2025-56129 1 Ruijie 2 Rg-bcr860, Rg-bcr860 Firmware 2025-12-15 8.8 High
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua.