Export limit exceeded: 12077 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (12077 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-66202 2 Astro, Withastro 2 Astro, Astro 2025-12-10 6.5 Medium
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8.
CVE-2025-66507 3 1panel, Fit2cloud, Linux 3 1panel, 1panel, Linux 2025-12-10 7.5 High
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14.
CVE-2025-64497 1 Enalean 1 Tuleap 2025-12-10 6.5 Medium
Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition.
CVE-2025-36102 1 Ibm 2 Cognos Controller, Controller 2025-12-10 2.7 Low
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security.
CVE-2024-32632 1 Asrmicro 26 Asr1602, Asr1602 Firmware, Asr1603 and 23 more 2025-12-10 6.6 Medium
A value in ATCMD will be misinterpreted by printf, causing incorrect output and possibly out-of-bounds memory access
CVE-2024-38092 1 Microsoft 1 Azure Cyclecloud 2025-12-09 8.8 High
Azure CycleCloud Elevation of Privilege Vulnerability
CVE-2025-66551 1 Nextcloud 1 Tables 2025-12-09 6.3 Medium
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.
CVE-2025-66513 1 Nextcloud 1 Tables 2025-12-09 4.3 Medium
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.
CVE-2025-66553 1 Nextcloud 1 Tables 2025-12-09 4.3 Medium
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.
CVE-2025-66556 1 Nextcloud 1 Talk 2025-12-09 3.5 Low
Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.
CVE-2025-66558 1 Nextcloud 2 Two-factor Webauthn, Twofactor Webauthn 2025-12-09 3.1 Low
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
CVE-2025-66546 1 Nextcloud 1 Calendar 2025-12-09 3.3 Low
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
CVE-2025-66547 1 Nextcloud 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more 2025-12-09 4.3 Medium
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
CVE-2025-54612 1 Huawei 1 Harmonyos 2025-12-08 5.9 Medium
Iterator failure vulnerability in the card management module. Impact: Successful exploitation of this vulnerability may affect function stability.
CVE-2025-54613 1 Huawei 1 Harmonyos 2025-12-08 5.9 Medium
Iterator failure vulnerability in the card management module. Impact: Successful exploitation of this vulnerability may affect function stability.
CVE-2025-54621 1 Huawei 1 Harmonyos 2025-12-08 5.3 Medium
Iterator failure issue in the WantAgent module. Impact: Successful exploitation of this vulnerability may cause memory release failures.
CVE-2024-50395 1 Qnap 1 Media Streaming Add-on 2025-12-08 8.8 High
An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later
CVE-2025-63784 1 Onlook 1 Onlook 2025-12-08 6.5 Medium
An Open Redirect vulnerability exists in the OAuth callback handler in file onlook/apps/web/client/src/app/auth/callback/route.ts in Onlook web application 0.2.32. The vulnerability occurs because the application trusts the X-Forwarded-Host header value without proper validation when constructing a redirect URL. A remote attacker can send a manipulated X-Forwarded-Host header to redirect an authenticated user to an arbitrary external website under their control, which can be exploited for phishing attacks.
CVE-2025-64116 2 Leepeuker, Movary 2 Movary, Movary 2025-12-08 6.1 Medium
Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0.
CVE-2025-64115 2 Leepeuker, Movary 2 Movary, Movary 2025-12-08 6.1 Medium
Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.