Export limit exceeded: 46120 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 364878 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364878 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54850 | 1 Socomec | 2 Diris M-70, Diris M-70 Firmware | 2025-12-05 | 7.5 High |
| A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | ||||
| CVE-2025-55123 | 2 Revive, Revive-adserver | 2 Adserver, Revive Adserver | 2025-12-05 | 5.4 Medium |
| Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users. | ||||
| CVE-2017-1000237 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 9.8 Critical |
| I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password. | ||||
| CVE-2017-1000236 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 6.1 Medium |
| I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site. | ||||
| CVE-2017-1000235 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 9.8 Critical |
| I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command Injection in batchimport.php resulting the web server being fully compromised. | ||||
| CVE-2017-1000234 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 5.3 Medium |
| I, Librarian version <=4.6 & 4.7 is vulnerable to Directory Enumeration in the jqueryFileTree.php resulting in attacker enumerating directories simply by navigating through the "dir" parameter | ||||
| CVE-2023-3021 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i-librarian-free prior to 5.10.4. | ||||
| CVE-2024-40500 | 2 I-librarian, Scilico | 2 I-librarian, I\, Librarian | 2025-12-05 | 8.8 High |
| Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component. | ||||
| CVE-2025-63681 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-05 | 4.3 Medium |
| open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | ||||
| CVE-2018-1000141 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 9.1 Critical |
| I, Librarian version 4.9 and earlier contains an Incorrect Access Control vulnerability in ajaxdiscussion.php that can result in any users gaining unauthorized access (read, write and delete) to project discussions. | ||||
| CVE-2018-1000139 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 6.1 Medium |
| I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. | ||||
| CVE-2018-1000138 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 9.1 Critical |
| I, Librarian version 4.8 and earlier contains a SSRF vulnerability in "url" parameter of getFromWeb in functions.php that can result in the attacker abusing functionality on the server to read or update internal resources. | ||||
| CVE-2018-1000137 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 8.8 High |
| I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. | ||||
| CVE-2018-1000124 | 1 Scilico | 1 I\, Librarian | 2025-12-05 | 10.0 Critical |
| I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea. | ||||
| CVE-2012-3842 | 1 Directadmin | 1 Directadmin | 2025-12-05 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters. | ||||
| CVE-2025-21080 | 2 Google, Samsung | 4 Android, Android, Dynamic Lockscreen and 1 more | 2025-12-05 | 6.2 Medium |
| Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen's privilege. | ||||
| CVE-2025-4523 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-05 | 6.5 Medium |
| The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view() function in versions 2.0.0 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose an administrator’s username, email address, and all donor fields. | ||||
| CVE-2024-2873 | 1 Wolfssh | 1 Wolfssh | 2025-12-05 | 9.1 Critical |
| A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access. | ||||
| CVE-2024-29042 | 2 Francisco, Franciscop | 2 Translate, Translate | 2025-12-05 | 5.3 Medium |
| Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. Version 3.0.0 fixes this issue. | ||||
| CVE-2024-28861 | 1 Friendsofsymfony1 | 1 Symfony1 | 2025-12-05 | 9.8 Critical |
| Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue. | ||||