Export limit exceeded: 365319 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365319 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23689 | 1 Clickhouse | 1 Java Libraries | 2025-11-29 | 8.8 High |
| Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message. | ||||
| CVE-2024-23688 | 1 Consensys | 1 Discovery | 2025-11-29 | 5.3 Medium |
| Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed. | ||||
| CVE-2024-23687 | 1 Openlibraryfoundation | 1 Mod-data-export-spring | 2025-11-29 | 9.1 Critical |
| Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines. | ||||
| CVE-2024-23686 | 1 Owasp | 1 Dependency-check | 2025-11-29 | 5.3 Medium |
| DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file. | ||||
| CVE-2024-23685 | 1 Openlibraryfoundation | 1 Mod-remote-storage | 2025-11-29 | 5.3 Medium |
| Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types. | ||||
| CVE-2024-23684 | 1 Peteroupc | 1 Cbor | 2025-11-29 | 7.5 High |
| Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input. Depending on an application's use of this library, this may be a remote attacker. | ||||
| CVE-2024-23680 | 1 Amazon | 1 Aws Encryption Sdk | 2025-11-29 | 5.3 Medium |
| AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures. | ||||
| CVE-2024-23679 | 1 Enonic | 1 Xp | 2025-11-29 | 9.8 Critical |
| Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | ||||
| CVE-2024-22051 | 2 Github, Gjtorikian | 2 Cmark-gfm, Commonmarker | 2025-11-29 | 9.8 Critical |
| CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns. | ||||
| CVE-2024-22050 | 1 Boazsegev | 1 Iodine | 2025-11-29 | 7.5 High |
| Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs. | ||||
| CVE-2024-22048 | 1 Gov.uk | 1 Govuk Tech Docs | 2025-11-29 | 6.1 Medium |
| govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page. | ||||
| CVE-2025-34028 | 3 Commvault, Linux, Microsoft | 3 Commvault, Linux Kernel, Windows | 2025-11-29 | 10.0 Critical |
| The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438. | ||||
| CVE-2025-3248 | 1 Langflow | 1 Langflow | 2025-11-29 | 9.8 Critical |
| Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. | ||||
| CVE-2024-9440 | 2 Brian Voelker, Slimselectjs | 2 Slim Select, Slim Select | 2025-11-29 | 5.4 Medium |
| Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available. | ||||
| CVE-2024-22047 | 2 Collectiveidea, Redhat | 2 Audited, Satellite | 2025-11-28 | 3.1 Low |
| A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user. | ||||
| CVE-2024-21909 | 1 Peteroupc | 1 Cbor | 2025-11-28 | 7.5 High |
| PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability. An attacker may trigger the denial of service condition by providing crafted data to the DecodeFromBytes or other decoding mechanisms in PeterO.Cbor. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. | ||||
| CVE-2024-21907 | 1 Newtonsoft | 1 Json.net | 2025-11-28 | 7.5 High |
| Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition. | ||||
| CVE-2024-0758 | 1 Ipb-halle | 1 Molecularfaces | 2025-11-28 | 6.1 Medium |
| MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. | ||||
| CVE-2024-13979 | 1 St. Joe Erp System Project | 1 St. Joe Erp System | 2025-11-28 | 9.8 Critical |
| A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC. | ||||
| CVE-2023-7308 | 1 Nsfocusglobal | 2 Secgate3600, Secgate3600 Firmware | 2025-11-28 | 7.5 High |
| SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the /cgi-bin/authUser/authManageSet.cgi endpoint. The affected component fails to enforce authentication checks on POST requests to retrieve user data. An unauthenticated remote attacker can exploit this flaw to obtain sensitive information, including user identifiers and configuration details, by sending crafted requests to the vulnerable endpoint. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-18 UTC. | ||||