Export limit exceeded: 364170 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364170 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-50207 | 1 Linux | 1 Linux Kernel | 2025-11-19 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ARM: bcm: Fix refcount leak in bcm_kona_smc_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. | ||||
| CVE-2024-40479 | 2 Jayesh, Kashipara | 2 Online Exam System, Online Exam System | 2025-11-19 | 8.1 High |
| A SQL injection vulnerability in "/admin/quizquestion.php" in Kashipara Online Exam System v1.0 allows remote attackers to execute arbitrary SQL commands via the "eid" parameter. | ||||
| CVE-2025-2794 | 1 Kentico | 1 Xperience | 2025-11-19 | N/A |
| An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition. This issue affects Xperience: through 13.0.180. | ||||
| CVE-2025-0351 | 2025-11-19 | N/A | ||
| Voluntarily withdrawn | ||||
| CVE-2025-65941 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65940 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65939 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65938 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65937 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65936 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65935 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65934 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65933 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-34157 | 1 Coollabs | 1 Coolify | 2025-11-19 | 9.0 Critical |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | ||||
| CVE-2025-34159 | 1 Coollabs | 1 Coolify | 2025-11-19 | 8.8 High |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server. | ||||
| CVE-2025-34161 | 1 Coollabs | 1 Coolify | 2025-11-19 | 8.8 High |
| Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise. | ||||
| CVE-2025-34267 | 1 Flowiseai | 1 Flowise | 2025-11-19 | 9.9 Critical |
| Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier. | ||||
| CVE-2025-34282 | 1 Thingsboard | 1 Thingsboard | 2025-11-19 | 9.1 Critical |
| ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources. | ||||
| CVE-2025-34489 | 1 Gfi | 1 Mailessentials | 2025-11-19 | 7.8 High |
| GFI MailEssentials prior to version 21.8 is vulnerable to a local privilege escalation issue. A local attacker can escalate to NT Authority/SYSTEM by sending a crafted serialized payload to a .NET Remoting Service. | ||||
| CVE-2025-34490 | 1 Gfi | 1 Mailessentials | 2025-11-19 | 6.5 Medium |
| GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files. | ||||