Search

Search Results (366276 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-59016 1 Typo3 1 Typo3 2025-09-10 4.3 Medium
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 12.0.0-12.4.36, and 13.0.0-13.4.17 allow backend users to disclose full file paths via failed low-level file-system operations.
CVE-2025-59015 1 Typo3 1 Typo3 2025-09-10 6.5 Medium
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy, allowing attackers to carry out brute‑force attacks more quickly.
CVE-2025-59014 1 Typo3 1 Typo3 2025-09-10 2.7 Low
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.
CVE-2025-59013 1 Typo3 1 Typo3 2025-09-10 6.1 Medium
An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.
CVE-2025-9682 1 Zoneland 1 O2oa 2025-09-10 3.5 Low
A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVE-2025-10219 2025-09-10 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-9683 1 Zoneland 1 O2oa 2025-09-10 3.5 Low
A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVE-2025-9694 1 Campcodes 1 Advanced Online Voting System 2025-09-10 7.3 High
A vulnerability was determined in Campcodes Advanced Online Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-9695 2 Galleryvault, Google 2 Gallery Vault, Android 2025-09-10 5.3 Medium
A vulnerability was identified in GalleryVault Gallery Vault App up to 4.5.2 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.thinkyeah.galleryvault. The manipulation leads to improper export of android application components. The attack can only be performed from a local environment. The exploit is publicly available and might be used.
CVE-2025-56630 1 Foxcms 1 Foxcms 2025-09-09 7.3 High
FoxCMS v1.2.5 and before is vulnerable to SQL Injection via the column_model parameter in the app/admin/controller/Column.php file.
CVE-2025-50586 1 Daycloud 1 Studentmanage 2025-09-09 6.5 Medium
StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF).
CVE-2025-50585 1 Daycloud 1 Studentmanage 2025-09-09 8.8 High
StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl.
CVE-2025-50584 1 Daycloud 1 Studentmanage 2025-09-09 4.8 Medium
StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module.
CVE-2025-50582 1 Daycloud 1 Studentmanage 2025-09-09 4.8 Medium
StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Course module.
CVE-2025-50583 1 Daycloud 1 Studentmanage 2025-09-09 4.8 Medium
StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Student module.
CVE-2025-9577 1 Totolink 2 X2000r, X2000r Firmware 2025-09-09 2.5 Low
A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited.
CVE-2025-9576 1 Seeedstudio 2 Linkit Smart 7688, Linkit Smart 7688 Firmware 2025-09-09 2.5 Low
A vulnerability was identified in seeedstudio ReSpeaker LinkIt7688. Impacted is an unknown function of the file /etc/shadow of the component Administrative Interface. The manipulation leads to use of default credentials. An attack has to be approached locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-55409 1 Foxcms 1 Foxcms 2025-09-09 8.8 High
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code.
CVE-2024-53499 2 Huayi-tec, Jeewms 2 Jeewms, Jeewms 2025-09-09 9.8 Critical
Jeewms v3.7 was discovered to contain a SQL injection vulnerability via the CgReportController API.
CVE-2025-55420 1 Foxcms 1 Foxcms 2025-09-09 8.8 High
A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input.