Search

Search Results (364785 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-13046 1 Viewlead 1 Bacteriology Laboratory Reporting System 2025-12-01 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-34076 1 Microweber 1 Microweber 2025-11-29 7.2 High
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
CVE-2025-34045 1 Weiphp 1 Weiphp 2025-11-29 7.5 High
A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
CVE-2024-39936 2 Qt, Redhat 7 Qt, Enterprise Linux, Rhel Aus and 4 more 2025-11-29 8.6 High
An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
CVE-2024-23689 1 Clickhouse 1 Java Libraries 2025-11-29 8.8 High
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
CVE-2024-23688 1 Consensys 1 Discovery 2025-11-29 5.3 Medium
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
CVE-2024-23687 1 Openlibraryfoundation 1 Mod-data-export-spring 2025-11-29 9.1 Critical
Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.
CVE-2024-23686 1 Owasp 1 Dependency-check 2025-11-29 5.3 Medium
DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.
CVE-2024-23685 1 Openlibraryfoundation 1 Mod-remote-storage 2025-11-29 5.3 Medium
Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types.
CVE-2024-23684 1 Peteroupc 1 Cbor 2025-11-29 7.5 High
Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input. Depending on an application's use of this library, this may be a remote attacker.
CVE-2024-23680 1 Amazon 1 Aws Encryption Sdk 2025-11-29 5.3 Medium
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
CVE-2024-23679 1 Enonic 1 Xp 2025-11-29 9.8 Critical
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
CVE-2024-22051 2 Github, Gjtorikian 2 Cmark-gfm, Commonmarker 2025-11-29 9.8 Critical
CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
CVE-2024-22050 1 Boazsegev 1 Iodine 2025-11-29 7.5 High
Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.
CVE-2024-22048 1 Gov.uk 1 Govuk Tech Docs 2025-11-29 6.1 Medium
govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
CVE-2025-34028 3 Commvault, Linux, Microsoft 3 Commvault, Linux Kernel, Windows 2025-11-29 10.0 Critical
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
CVE-2025-3248 1 Langflow 1 Langflow 2025-11-29 9.8 Critical
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
CVE-2024-9440 2 Brian Voelker, Slimselectjs 2 Slim Select, Slim Select 2025-11-29 5.4 Medium
Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
CVE-2024-22047 2 Collectiveidea, Redhat 2 Audited, Satellite 2025-11-28 3.1 Low
A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user.
CVE-2024-21909 1 Peteroupc 1 Cbor 2025-11-28 7.5 High
PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability. An attacker may trigger the denial of service condition by providing crafted data to the DecodeFromBytes or other decoding mechanisms in PeterO.Cbor. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.