Export limit exceeded: 364910 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364910 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66540 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66539 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66538 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66537 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-66536 | 2025-12-05 | N/A | ||
| Not used | ||||
| CVE-2025-9553 | 2 Api Key Manager Project, Drupal | 3 Api Key Manager, Api Key Manager, Drupal | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*. | ||||
| CVE-2025-9554 | 2 Drupal, Owl Carousel 2 Project | 2 Drupal, Owl Carousel 2 | 2025-12-05 | 5.3 Medium |
| Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*. | ||||
| CVE-2025-59048 | 1 Openbao | 2 Aws Plugin, Openbao | 2025-12-05 | 8.1 High |
| OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is vulnerable to cross-account IAM role Impersonation in the AWS auth method. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access. This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. A workaround for this issue involves guaranteeing that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment, and to audit for any duplicate IAM roles. | ||||
| CVE-2025-11154 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-12-05 | 5.4 Medium |
| The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-5114 | 1 Easycorp | 1 Zentao | 2025-12-05 | 6.3 Medium |
| A vulnerability has been found in easysoft zentaopms 21.5_20250307 and classified as critical. This vulnerability affects the function Edit of the file /index.php?m=editor&f=edit&filePath=cGhhcjovLy9ldGMvcGFzc3dk&action=edit of the component Committer. The manipulation of the argument filePath leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-48057 | 1 Icinga | 1 Icinga | 2025-12-05 | 9.8 Critical |
| Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6. | ||||
| CVE-2023-26226 | 1 Yandex | 1 Yandex Browser | 2025-12-05 | 9.8 Critical |
| A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682 | ||||
| CVE-2025-20994 | 1 Samsung | 1 Internet | 2025-12-04 | 4.5 Medium |
| Improper handling of insufficient permission in SyncClientProvider in Samsung Internet installed on non-Samsung Device prior to version 28.0.0.59 allows local attackers to access read and write arbitrary files. | ||||
| CVE-2025-20995 | 1 Samsung | 1 Internet | 2025-12-04 | 4.9 Medium |
| Improper handling of insufficient permission in ClientProvider in Samsung Internet installed on non-Samsung Device prior to version 28.0.0.59 allows local attackers to read and write arbitrary files. | ||||
| CVE-2025-10552 | 2 3ds, Dassault | 2 3dswymer, 3dswymer | 2025-12-04 | 8.7 High |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-10558 | 2 3ds, Dassault | 2 3dswymer, 3dswymer | 2025-12-04 | 8.7 High |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DSearch in 3DSwymer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | ||||
| CVE-2025-64187 | 1 Octoprint | 1 Octoprint | 2025-12-04 | 4.4 Medium |
| OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4. | ||||
| CVE-2025-64326 | 1 Weblate | 1 Weblate | 2025-12-04 | 2.6 Low |
| Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1. | ||||
| CVE-2025-59836 | 1 Siderolabs | 1 Omni | 2025-12-04 | 5.3 Medium |
| Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, there is a nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of service by sending empty create/update resource requests through the API endpoints. The vulnerability exists in the isSensitiveSpec function which calls grpcomni.CreateResource without checking if the resource's metadata field is nil. When a resource is created with an empty Metadata field, the CreateResource function attempts to access resource.Metadata.Version causing a segmentation fault. This vulnerability is fixed in 1.1.5 and 1.0.2. | ||||
| CVE-2025-61688 | 1 Siderolabs | 1 Omni | 2025-12-04 | 8.6 High |
| Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to 1.1.5 and 1.0.2, Omni might leak sensitive information via an API. | ||||