Search

Search Results (363701 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-12326 2 Shawon100, Shawonruet 2 Ruet Oj, Ruet Oj 2025-11-04 7.3 High
A vulnerability was found in shawon100 RUET OJ up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5. This vulnerability affects unknown code of the file /process.php of the component POST Request Handler. The manipulation of the argument un results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-12327 2 Shawon100, Shawonruet 2 Ruet Oj, Ruet Oj 2025-11-04 6.3 Medium
A vulnerability was determined in shawon100 RUET OJ up to 18fa45b0a669fa1098a0b8fc629cf6856369d9a5. This issue affects some unknown processing of the file /description.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-62801 2 Fastmcp, Jlowin 2 Fastmcp, Fastmcp 2025-11-04 7.8 High
FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fixed in 2.13.0.
CVE-2025-62782 2 Inventorygui, Phoenix616 2 Inventorygui, Inventorygui 2025-11-04 5.3 Medium
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT.
CVE-2025-64101 1 Zitadel 1 Zitadel 2025-11-04 8.1 High
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account. It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVE-2025-64102 1 Zitadel 1 Zitadel 2025-11-04 9.8 Critical
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVE-2025-64103 1 Zitadel 1 Zitadel 2025-11-04 9.8 Critical
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
CVE-2024-55568 2 Samsung, Samsung Mobile 44 Exynos 1080, Exynos 1080 Firmware, Exynos 1280 and 41 more 2025-11-04 7.5 High
An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The absence of a NULL check leads to a Denial of Service when an attacker sends malformed MM packets to the target.
CVE-2025-26781 1 Samsung 39 Exynos 1080, Exynos 1080 Firmware, Exynos 1280 and 36 more 2025-11-04 7.5 High
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 9110, W920, W930, Modem 5123, and Modem 5300. Incorrect handling of RLC AM PDUs leads to a Denial of Service.
CVE-2025-53701 2 Vilar, Vimicro 3 Vs-ipc1002, Vs-ipc1002, Vs-ipc1002 Firmware 2025-11-04 6.1 Medium
Vilar VS-IPC1002 IP cameras are vulnerable to Reflected XSS (Cross-site Scripting) attacks, because parameters in GET requests sent to /cgi-bin/action endpoint are not sanitized properly, making it possible to target logged in admin users. The vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.
CVE-2025-53702 2 Vilar, Vimicro 3 Vs-ipc1002, Vs-ipc1002, Vs-ipc1002 Firmware 2025-11-04 6.5 Medium
Vilar VS-IPC1002 IP cameras are vulnerable to DoS (Denial-of-Service) attacks. An unauthenticated attacker on the same local network might send a crafted request to /cgi-bin/action endpoint and render the device completely unresponsive. A manual restart of the device is required.  The vendor did not respond in any way. Only version 1.1.0.18 was tested, other versions might be vulnerable as well.
CVE-2023-45721 1 Hcltech 1 Domino Leap 2025-11-04 5.3 Medium
Insufficient default configuration in HCL Leap allows anonymous access to directory information.
CVE-2024-30115 1 Hcltech 1 Domino Leap 2025-11-04 6.3 Medium
Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.
CVE-2021-40524 1 Pureftpd 1 Pure-ftpd 2025-11-04 7.5 High
In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism in the server allows attackers to upload files of unbounded size, which may lead to denial of service or a server hang. This occurs because a certain greater-than-zero test does not anticipate an initial -1 value. (Versions 1.0.23 through 1.0.49 are affected.)
CVE-2025-8734 1 Gnu 1 Bison 2025-11-04 3.3 Low
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Additional analysis indicates that the files referenced in the stack trace do not exist in Bison.
CVE-2025-8733 1 Gnu 1 Bison 2025-11-04 3.3 Low
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Additional analysis indicates that the files referenced in the stack trace do not exist in Bison.
CVE-2025-12200 1 Dnsmasq 1 Dnsmasq 2025-11-03 3.3 Low
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Based on the analysis by MITRE and review of community feedback, the reported conditions represent expected and intentional behavior within dnsmasq's documented design, rather than security vulnerabilities.
CVE-2025-12199 1 Dnsmasq 1 Dnsmasq 2025-11-03 3.3 Low
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Based on the analysis by MITRE and review of community feedback, the reported conditions represent expected and intentional behavior within dnsmasq's documented design, rather than security vulnerabilities.
CVE-2025-12198 1 Dnsmasq 1 Dnsmasq 2025-11-03 7.8 High
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Based on the analysis by MITRE and review of community feedback, the reported conditions represent expected and intentional behavior within dnsmasq's documented design, rather than security vulnerabilities.
CVE-2024-9401 2 Mozilla, Redhat 9 Firefox, Firefox Esr, Thunderbird and 6 more 2025-11-03 9.8 Critical
Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.