Search

Search Results (364428 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-41734 2 Metz-connect, Metz Connect 7 Ewio2-bm, Ewio2-bm Firmware, Ewio2-m and 4 more 2025-11-21 9.8 Critical
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
CVE-2025-41733 2 Metz-connect, Metz Connect 7 Ewio2-bm, Ewio2-bm Firmware, Ewio2-m and 4 more 2025-11-21 9.8 Critical
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
CVE-2024-10203 1 Zohocorp 1 Manageengine Endpoint Central 2025-11-21 7 High
Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines.
CVE-2025-30360 1 Webpack.js 1 Webpack-dev-server 2025-11-21 6.5 Medium
webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when you access a malicious web site with non-Chromium based browser. The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening, which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. This allows websites that are served on IP addresses to connect WebSocket. An attacker can obtain source code via a method similar to that used to exploit CVE-2018-14732. Version 5.2.1 contains a patch for the issue.
CVE-2025-65220 1 Tenda 2 Ac21, Ac21 Firmware 2025-11-21 4.3 Medium
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow in: /goform/SetVirtualServerCfg via the list parameter.
CVE-2025-65221 1 Tenda 2 Ac21, Ac21 Firmware 2025-11-21 4.3 Medium
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list parameter of /goform/setPptpUserList.
CVE-2025-65222 1 Tenda 2 Ac21, Ac21 Firmware 2025-11-21 4.3 Medium
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the rebootTime parameter of /goform/SetSysAutoRebbotCfg.
CVE-2025-65223 1 Tenda 2 Ac21, Ac21 Firmware 2025-11-21 4.3 Medium
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls parameter of /goform/saveParentControlInfo.
CVE-2025-65226 1 Tenda 2 Ac21, Ac21 Firmware 2025-11-21 4.3 Medium
Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the deviceId parameter in /goform/saveParentControlInfo.
CVE-2023-30800 1 Mikrotik 1 Routeros 2025-11-21 7.5 High
The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.
CVE-2023-30799 1 Mikrotik 1 Routeros 2025-11-21 9.1 Critical
MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.
CVE-2023-30797 1 Netflix 1 Lemur 2025-11-21 7.5 High
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
CVE-2025-64327 2 Matiasdesuu, Thinkdashboard Project 2 Thinkdashboard, Thinkdashboard 2025-11-21 5.3 Medium
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary requests to internal or external hosts. This can include discovering ports open on the local machine, hosts on the local network, and ports open on the hosts on the internal network. This issue is fixed in version 0.6.8.
CVE-2025-64176 2 Matiasdesuu, Thinkdashboard Project 2 Thinkdashboard, Thinkdashboard 2025-11-21 5.3 Medium
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8.
CVE-2025-64177 2 Matiasdesuu, Thinkdashboard Project 2 Thinkdashboard, Thinkdashboard 2025-11-21 5.4 Medium
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8.
CVE-2025-63543 2 Nooncarlett, Techstore 2 Techstore, Techstore 2025-11-21 6.1 Medium
TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in the /search_results endpoint via the q parameter.
CVE-2025-63544 2 Nooncarlett, Techstore 2 Techstore, Techstore 2025-11-21 6.1 Medium
TechStore 1.0 is vulnerable to Cross Site Scripting (XSS) in /order_notes via the id parameter.
CVE-2023-30801 1 Qbittorrent 1 Qbittorrent 2025-11-21 9.8 Critical
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVE-2023-30798 1 Encode 1 Starlette 2025-11-21 7.5 High
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
CVE-2025-64683 1 Jetbrains 1 Hub 2025-11-21 5.3 Medium
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API