Search

Search Results (363701 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-53377 1 Wegia 1 Wegia 2025-07-10 6.1 Medium
WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3.
CVE-2025-29331 1 Mhsanaei 1 3x-ui 2025-07-10 9.8 Critical
An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a remote attacker to execute arbitrary code via the management script x-ui passes the no check certificate option to wget when downloading updates
CVE-2025-52995 1 Filebrowser 1 Filebrowser 2025-07-10 8.1 High
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.
CVE-2025-53004 1 Dataease 1 Dataease 2025-07-10 9.8 Critical
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's Redshift Data Source JDBC Connection Parameters. The sslfactory and sslfactoryarg parameters could trigger a bypass vulnerability. This issue has been patched in version 2.10.11.
CVE-2024-42760 1 Ellevo 1 Ellevo 2025-07-10 7.5 High
SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component.
CVE-2024-39924 2 Dani-garcia, Vaultwarden 2 Vaultwarden, Vaultwarden 2025-07-10 8.8 High
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A vulnerability has been identified in the authentication and authorization process of the endpoint responsible for altering the metadata of an emergency access. It permits an attacker with granted emergency access to escalate their privileges by changing the access level and modifying the wait time. Consequently, the attacker can gain full control over the vault (when only intended to have read access) while bypassing the necessary wait period.
CVE-2024-39925 2 Dani-garcia, Vaultwarden 2 Vaultwarden, Vaultwarden 2025-07-10 6.5 Medium
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. It lacks an offboarding process for members who leave an organization. As a result, the shared organization key is not rotated when a member departs. Consequently, the departing member, whose access should be revoked, retains a copy of the organization key. Additionally, the application fails to adequately protect some encrypted data stored on the server. Consequently, an authenticated user could gain unauthorized access to encrypted data of any organization, even if the user is not a member of the targeted organization. However, the user would need to know the corresponding organizationId. Hence, if a user (whose access to an organization has been revoked) already possesses the organization key, that user could use the key to decrypt the leaked data.
CVE-2024-39926 2 Dani-garcia, Vaultwarden 2 Vaultwarden, Vaultwarden 2025-07-10 5.4 Medium
An issue was discovered in Vaultwarden (formerly Bitwarden_RS) 1.30.3. A stored cross-site scripting (XSS) or, due to the default CSP, HTML injection vulnerability has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. However, it is important to note that the default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.
CVE-2024-42404 2 Collne, Welcart 2 Welcart, Welcart E-commerce 2025-07-10 8.8 High
SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database.
CVE-2024-45366 1 Welcart 1 Welcart E-commerce 2025-07-10 6.1 Medium
Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
CVE-2023-49203 1 Technitium 2 Dns Server, Dnsserver 2025-07-10 7.5 High
Technitium 11.5.3 allows remote attackers to cause a denial of service (bandwidth amplification) because the DNSBomb manipulation causes accumulation of low-rate DNS queries such that there is a large-sized response in a burst of traffic.
CVE-2025-21008 1 Samsung 1 Android 2025-07-10 5.5 Medium
Out-of-bounds read in decoding frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption.
CVE-2025-21009 1 Samsung 1 Android 2025-07-10 5.5 Medium
Out-of-bounds read in decoding malformed frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption.
CVE-2024-39134 2 Gdraheim, Zziplib 2 Zziplib, Zziplib 2025-07-10 7.5 High
A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows attackers to cause a denial of service via the __zzip_fetch_disk_trailer() function at /zzip/zip.c.
CVE-2024-27905 2 Apache, Apache Software Foundation 2 Aurora, Apache Aurora 2025-07-10 9.1 Critical
** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. An endpoint exposing internals to unauthenticated users can be used as a "padding oracle" allowing an anonymous attacker to construct a valid authentication cookie. Potentially this could be combined with vulnerabilities in other components to achieve remote code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-48916 1 Joshfabean 1 Bookable Calendar 2025-07-10 6.5 Medium
Missing Authorization vulnerability in Drupal Bookable Calendar allows Forceful Browsing.This issue affects Bookable Calendar: from 0.0.0 before 2.2.13.
CVE-2025-45988 1 B-link 18 Bl-ac1900, Bl-ac1900 Firmware, Bl-ac2100 Az3 and 15 more 2025-07-10 9.8 Critical
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the cmd parameter in the bs_SetCmd function.
CVE-2025-45987 1 B-link 14 Bl-ac2100 Az3, Bl-ac2100 Az3 Firmware, Bl-f1200 At1 and 11 more 2025-07-10 9.8 Critical
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the dns1 and dns2 parameters in the bs_SetDNSInfo function.
CVE-2025-45985 1 B-link 16 Bl-ac2100 Az3, Bl-ac2100 Az3 Firmware, Bl-f1200 At1 and 13 more 2025-07-10 9.8 Critical
Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain a command injection vulnerability via the bs_SetSSIDHide function.
CVE-2025-45984 1 B-link 18 Bl-ac1900, Bl-ac1900 Firmware, Bl-ac2100 Az3 and 15 more 2025-07-10 9.8 Critical
Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection vulnerability via the routepwd parameter in the sub_45B238 function.