Export limit exceeded: 366908 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 366908 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366908 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1038 | 1 Hitachienergy | 1 Tropos | 2026-04-15 | N/A |
| The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device. | ||||
| CVE-2025-10385 | 1 Mercury | 1 Km08-708h Giga Wifi Wave2 | 2026-04-15 | 8.8 High |
| A vulnerability has been found in Mercury KM08-708H GiGA WiFi Wave2 1.1. Affected by this issue is the function sub_450B2C of the file /goform/mcr_setSysAdm. The manipulation of the argument ChgUserId leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10386 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in Yida ECMS Consulting Enterprise Management System 1.0. This affects an unknown part of the file /login.do of the component POST Request Handler. The manipulation of the argument requestUrl results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10388 | 1 Selleo | 1 Mentingo | 2026-04-15 | 3.5 Low |
| A vulnerability was identified in Selleo Mentingo 2025.08.27. This issue affects some unknown processing of the file /api/course/enroll-course of the component Create New Course Basic Settings. Such manipulation of the argument Description leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10393 | 1 Morphic Project | 1 Morphic | 2026-04-15 | 6.3 Medium |
| A flaw has been found in miurla morphic up to 0.4.5. This impacts the function fetchHtml of the file /api/advanced-search of the component HTTP Status Code 3xx Handler. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2025-10392 | 1 Mercury | 1 Km08-708h Giga Wifi Wave2 | 2026-04-15 | 9.8 Critical |
| A vulnerability was detected in Mercury KM08-708H GiGA WiFi Wave2 1.1.14. This affects an unknown function of the component HTTP Header Handler. The manipulation of the argument Host results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. | ||||
| CVE-2025-10399 | 1 Korzh | 1 Easyquery | 2026-04-15 | 6.3 Medium |
| A weakness has been identified in Korzh EasyQuery up to 7.4.0. This issue affects some unknown processing of the file /api/easyquery/models/nwind/fetch of the component Query Builder UI. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-9190 | 2 Apple, Cursor | 2 Macos, Cursor | 2026-04-15 | N/A |
| The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model. | ||||
| CVE-2025-10412 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 9.8 Critical |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-10433 | 2 1panel, Maxkb | 2 1panel, Maxkb | 2026-04-15 | 6.3 Medium |
| A vulnerability was determined in 1Panel-dev MaxKB up to 2.0.2/2.1.0. This issue affects some unknown processing of the file /admin/api/workspace/default/tool/debug. Executing manipulation of the argument code can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.1 is capable of addressing this issue. It is suggested to upgrade the affected component. | ||||
| CVE-2025-10434 | 1 Ibuyu | 1 Ibuyucms | 2026-04-15 | 2.4 Low |
| A vulnerability was identified in IbuyuCMS up to 2.6.3. Impacted is an unknown function of the file /admin/article.php?a=mod of the component Add Article Page. The manipulation of the argument Title leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-10440 | 2 D-link, Dlink | 6 Di-8003g, Di-8100, Di-8100g and 3 more | 2026-04-15 | 6.3 Medium |
| A vulnerability has been found in D-Link DI-8100, DI-8100G, DI-8200, DI-8200G, DI-8003 and DI-8003G 16.07.26A1/17.12.20A1/19.12.10A1. Affected by this vulnerability is the function sub_4621DC of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument hname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10441 | 1 D-link | 3 Di-8003g, Di-8100g, Di-8200g | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in D-Link DI-8100G, DI-8200G and DI-8003G 17.12.20A1/19.12.10A1. Affected by this issue is the function sub_433F7C of the file version_upgrade.asp of the component jhttpd. The manipulation of the argument path results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-10452 | 1 Gotac | 1 Statistical Database System | 2026-04-15 | 9.8 Critical |
| Statistical Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents with high-level privileges. | ||||
| CVE-2025-10453 | 2026-04-15 | 5.3 Medium | ||
| O'View MapServer developed by PilotGaea Technologies has a Server-Side Request Forgery vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to probe internal network. | ||||
| CVE-2025-10475 | 2026-04-15 | 5.5 Medium | ||
| A weakness has been identified in SpyShelter up to 15.4.0.1015. Affected is an unknown function in the library SpyShelter.sys of the component IOCTL Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. Upgrading to version 15.4.0.1028 is able to address this issue. It is advisable to upgrade the affected component. | ||||
| CVE-2025-10485 | 1 Pojoin | 1 H3blog | 2026-04-15 | 4.3 Medium |
| A vulnerability has been found in pojoin h3blog up to 5bf704425ebc11f4c24da51f32f36bb17ae20489. Affected by this issue is the function ppt_log of the file /login of the component HTTP Header Handler. Such manipulation of the argument X-Forwarded-For leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | ||||
| CVE-2025-9574 | 1 Abb | 2 Als-mini-s4, Als-mini-s8 | 2026-04-15 | 10 Critical |
| Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . All firmware versions with the Serial Number from 2000 to 5166 | ||||
| CVE-2025-10491 | 2 Microsoft, Mongodb | 2 Windows, Mongodb | 2026-04-15 | 7.8 High |
| The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5 | ||||
| CVE-2025-10496 | 2 Christophrado, Wordpress | 2 Cookie Notice & Consent, Wordpress | 2026-04-15 | 7.2 High |
| The Cookie Notice & Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uuid parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||