Search

Search Results (363856 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-40605 1 Sonicwall 11 Email Security, Email Security Appliance 5000, Email Security Appliance 5000 Firmware and 8 more 2025-12-12 5.3 Medium
A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path.
CVE-2025-60794 1 Perfood 1 Couchauth 2025-12-12 6.5 Medium
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
CVE-2025-60737 1 Ilevia 2 Eve X1 Server, Eve X1 Server Firmware 2025-12-12 6.1 Medium
Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component
CVE-2025-52410 1 Vishalmathur 1 Institute-of-current-students 2025-12-12 9.8 Critical
Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries.
CVE-2025-43802 1 Liferay 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more 2025-12-12 6.1 Medium
Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 update 51 through update 92, and 7.3 update 33 through update 35. allows remote attackers to inject arbitrary web script or HTML via the externalReferenceCode parameter.
CVE-2025-36054 1 Ibm 2 Business Automation Workflow, Process Federation Server 2025-12-12 6.1 Medium
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process Federation Server 24.0.0 through 24.0.1 and 25.0.0 are vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2025-64335 1 Oisf 1 Suricata 2025-12-12 7.5 High
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
CVE-2025-33150 1 Ibm 2 Cognos Analytics, Cognos Analytics Certified Containers 2025-12-12 5.3 Medium
IBM Cognos Analytics Certified Containers 12.1.0 could disclose package parameter information due to the presence of hidden pages.
CVE-2025-60783 2 Rajvi-patel-22, Restaurant Management System 2 Restaurant-management-system-dbms-project, Restaurant Management System 2025-12-12 6.5 Medium
There is a SQL injection vulnerability in Restaurant Management System DBMS Project v1.0 via login.php. The vulnerability allows attackers to manipulate the application's database through specially crafted SQL query strings.
CVE-2025-65271 1 Azuriom 1 Azuriom 2025-12-12 8.8 High
Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.
CVE-2025-61075 1 Adata 2 Mitarbeiter Portal, Mitarbeiterportal 2025-12-12 8.1 High
Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.
CVE-2025-65288 2 Mercury, Mercurycom 3 Mr816v2, Mr816, Mr816 Firmware 2025-12-12 6.5 Medium
A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenations into fixed-size buffers. A crafted long hostname can overflow the buffer, cause a crash (DoS) and potentially enabling remote code execution.
CVE-2025-65289 2 Mercury, Mercurycom 3 Mr816v2, Mr816, Mr816 Firmware 2025-12-12 6.1 Medium
A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions.
CVE-2025-63848 1 Swi-prolog 2 Swi-prolog, Swish 2025-12-12 6.1 Medium
Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.
CVE-2024-9453 2 Jenkins, Redhat 3 Jenkins, Ocp Tools, Openshift Developer Tools And Services 2025-12-12 6.5 Medium
A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information.
CVE-2025-62605 1 Joinmastodon 1 Mastodon 2025-12-12 4.3 Medium
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon version 4.4, support for verifiable quote posts with quote controls was added, but it is possible for an attacker to bypass these controls in Mastodon versions prior to 4.4.8 and 4.5.0-beta.2. Mastodon internally treats reblogs as statuses. Since they were not special-treated, an attacker could reblog any post, then quote their reblog, technically quoting themselves, but having the quote feature a preview of the post they did not get authorization for with all of the affordances that would be otherwise denied by the quote controls. This issue has been patched in versions 4.4.8 and 4.5.0-beta.2.
CVE-2025-65502 1 Cesanta 1 Mongoose 2025-12-12 4.3 Medium
Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.
CVE-2025-13372 1 Djangoproject 1 Django 2025-12-12 4.3 Medium
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
CVE-2025-65897 2 Zdh Web Project, Zhaoyachao 2 Zdh Web, Zdh Web 2025-12-12 8.8 High
zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution.
CVE-2025-65878 1 Yeqifu 1 Warehouse Management System 2025-12-12 7.5 High
The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server's file system. This could lead to the leakage of sensitive system information.