Search

Search Results (366787 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-7100 2 Boyun, Boyuncms Project 2 Boyuncms, Boyuncms 2025-09-15 6.3 Medium
A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7101 2 Boyun, Boyuncms Project 2 Boyuncms, Boyuncms 2025-09-15 6.3 Medium
A vulnerability was found in BoyunCMS up to 1.4.20. It has been classified as critical. This affects an unknown part of the file /install/install_ok.php of the component Configuration File Handler. The manipulation of the argument db_pass leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7102 2 Boyun, Boyuncms Project 2 Boyuncms, Boyuncms 2025-09-15 6.3 Medium
A vulnerability was found in BoyunCMS up to 1.4.20. It has been declared as critical. This vulnerability affects unknown code of the file application/update/controller/Server.php. The manipulation of the argument phone leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-7103 2 Boyun, Boyuncms Project 2 Boyuncms, Boyuncms 2025-09-15 6.3 Medium
A vulnerability was found in BoyunCMS up to 1.4.20. It has been rated as critical. This issue affects some unknown processing of the file /application/pay/controller/Index.php of the component curl. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-22188 1 Typo3 1 Typo3 2025-09-15 7.2 High
TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1.
CVE-2024-27355 2 Debian, Phpseclib 2 Debian Linux, Phpseclib 2025-09-15 7.5 High
An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).
CVE-2025-25223 1 Luxsoft 1 Luxcal Web Calendar 2025-09-15 5.3 Medium
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVE-2024-24323 1 Linlinjava 1 Litemall 2025-09-15 7.2 High
SQL injection vulnerability in linlinjava litemall v.1.8.0 allows a remote attacker to obtain sensitive information via the nickname, consignee, orderSN, orderStatusArray parameters of the AdminOrdercontroller.java component.
CVE-2025-25224 1 Luxsoft 1 Luxcal Web Calendar 2025-09-15 7.5 High
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVE-2024-32474 2 Getsentry, Sentry 2 Sentry, Sentry 2025-09-15 7.3 High
Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more.
CVE-2024-22905 1 Arm 2 Mbed-os, Mbed Os 2025-09-15 7 High
Buffer Overflow vulnerability in ARM mbed-os v.6.17.0 allows a remote attacker to execute arbitrary code via a crafted script to the hciTrSerialRxIncoming function.
CVE-2024-22807 1 Tormach 2 Pathpilot Controller, Xstech Cnc Router 2025-09-15 6.5 Medium
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to erase a critical sector of the flash memory, causing the machine to lose network connectivity and suffer from firmware corruption.
CVE-2024-22808 1 Tormach 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router 2025-09-15 7.5 High
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router via overwriting the card's name in the device memory.
CVE-2024-22809 1 Tormach 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router 2025-09-15 6.5 Medium
Incorrect access control in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to access the G code's shared folder and view sensitive information.
CVE-2024-22811 1 Tormach 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router 2025-09-15 8.2 High
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router via overwriting the Hostmot2 configuration cookie in the device memory.
CVE-2024-22813 1 Tormach 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router 2025-09-15 4.4 Medium
An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to overwrite the hardcoded IP address in the device memory, disrupting network connectivity between the router and the controller.
CVE-2024-22815 1 Tormach 3 Pathpilot Controller, Pilotpath Controller, Xstech Cnc Router 2025-09-15 5.3 Medium
An issue in the communication protocol of Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) via crafted commands.
CVE-2024-29376 1 Sylius 1 Sylius 2025-09-15 6.4 Medium
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
CVE-2025-52485 1 Dnnsoftware 1 Dotnetnuke 2025-09-15 5.4 Medium
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.
CVE-2025-52486 1 Dnnsoftware 2 Dnn Platform, Dotnetnuke 2025-09-15 6.1 Medium
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.