Export limit exceeded: 365319 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (365319 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-23689 1 Clickhouse 1 Java Libraries 2025-11-29 8.8 High
Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.
CVE-2024-23688 1 Consensys 1 Discovery 2025-11-29 5.3 Medium
Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed.
CVE-2024-23687 1 Openlibraryfoundation 1 Mod-data-export-spring 2025-11-29 9.1 Critical
Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.
CVE-2024-23686 1 Owasp 1 Dependency-check 2025-11-29 5.3 Medium
DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.
CVE-2024-23685 1 Openlibraryfoundation 1 Mod-remote-storage 2025-11-29 5.3 Medium
Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types.
CVE-2024-23684 1 Peteroupc 1 Cbor 2025-11-29 7.5 High
Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input. Depending on an application's use of this library, this may be a remote attacker.
CVE-2024-23680 1 Amazon 1 Aws Encryption Sdk 2025-11-29 5.3 Medium
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.
CVE-2024-23679 1 Enonic 1 Xp 2025-11-29 9.8 Critical
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
CVE-2024-22051 2 Github, Gjtorikian 2 Cmark-gfm, Commonmarker 2025-11-29 9.8 Critical
CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
CVE-2024-22050 1 Boazsegev 1 Iodine 2025-11-29 7.5 High
Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.
CVE-2024-22048 1 Gov.uk 1 Govuk Tech Docs 2025-11-29 6.1 Medium
govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
CVE-2025-34028 3 Commvault, Linux, Microsoft 3 Commvault, Linux Kernel, Windows 2025-11-29 10.0 Critical
The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.
CVE-2025-3248 1 Langflow 1 Langflow 2025-11-29 9.8 Critical
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
CVE-2024-9440 2 Brian Voelker, Slimselectjs 2 Slim Select, Slim Select 2025-11-29 5.4 Medium
Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
CVE-2024-22047 2 Collectiveidea, Redhat 2 Audited, Satellite 2025-11-28 3.1 Low
A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user.
CVE-2024-21909 1 Peteroupc 1 Cbor 2025-11-28 7.5 High
PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of service vulnerability. An attacker may trigger the denial of service condition by providing crafted data to the DecodeFromBytes or other decoding mechanisms in PeterO.Cbor. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
CVE-2024-21907 1 Newtonsoft 1 Json.net 2025-11-28 7.5 High
Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.
CVE-2024-0758 1 Ipb-halle 1 Molecularfaces 2025-11-28 6.1 Medium
MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles.
CVE-2024-13979 1 St. Joe Erp System Project 1 St. Joe Erp System 2025-11-28 9.8 Critical
A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC.
CVE-2023-7308 1 Nsfocusglobal 2 Secgate3600, Secgate3600 Firmware 2025-11-28 7.5 High
SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the /cgi-bin/authUser/authManageSet.cgi endpoint. The affected component fails to enforce authentication checks on POST requests to retrieve user data. An unauthenticated remote attacker can exploit this flaw to obtain sensitive information, including user identifiers and configuration details, by sending crafted requests to the vulnerable endpoint. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-18 UTC.