Export limit exceeded: 364170 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364170 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-50207 1 Linux 1 Linux Kernel 2025-11-19 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: ARM: bcm: Fix refcount leak in bcm_kona_smc_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak.
CVE-2024-40479 2 Jayesh, Kashipara 2 Online Exam System, Online Exam System 2025-11-19 8.1 High
A SQL injection vulnerability in "/admin/quizquestion.php" in Kashipara Online Exam System v1.0 allows remote attackers to execute arbitrary SQL commands via the "eid" parameter.
CVE-2025-2794 1 Kentico 1 Xperience 2025-11-19 N/A
An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition. This issue affects Xperience: through 13.0.180.
CVE-2025-0351 2025-11-19 N/A
Voluntarily withdrawn
CVE-2025-65941 2025-11-19 N/A
Not used
CVE-2025-65940 2025-11-19 N/A
Not used
CVE-2025-65939 2025-11-19 N/A
Not used
CVE-2025-65938 2025-11-19 N/A
Not used
CVE-2025-65937 2025-11-19 N/A
Not used
CVE-2025-65936 2025-11-19 N/A
Not used
CVE-2025-65935 2025-11-19 N/A
Not used
CVE-2025-65934 2025-11-19 N/A
Not used
CVE-2025-65933 2025-11-19 N/A
Not used
CVE-2025-34157 1 Coollabs 1 Coolify 2025-11-19 9.0 Critical
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.
CVE-2025-34159 1 Coollabs 1 Coolify 2025-11-19 8.8 High
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.
CVE-2025-34161 1 Coollabs 1 Coolify 2025-11-19 8.8 High
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise.
CVE-2025-34267 1 Flowiseai 1 Flowise 2025-11-19 9.9 Critical
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier.
CVE-2025-34282 1 Thingsboard 1 Thingsboard 2025-11-19 9.1 Critical
ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.
CVE-2025-34489 1 Gfi 1 Mailessentials 2025-11-19 7.8 High
GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. A local attacker can escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service.
CVE-2025-34490 1 Gfi 1 Mailessentials 2025-11-19 6.5 Medium
GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.