Export limit exceeded: 363500 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363500 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-40088 2 Vilo, Viloliving 3 5 Mesh Wifi System, Vilo 5, Vilo 5 Firmware 2025-07-07 5.3 Medium
A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request.
CVE-2024-40087 1 Viloliving 3 Vilo 5, Vilo 5 Firmware, Vilo 5 Mesh Wifi System Firmware 2025-07-07 9.6 Critical
Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Insecure Permissions. Lack of authentication in the custom TCP service on port 5432 allows remote, unauthenticated attackers to gain administrative access over the router.
CVE-2024-40084 1 Viloliving 3 Vilo 5, Vilo 5 Firmware, Vilo 5 Mesh Wifi System Firmware 2025-07-07 9.6 Critical
A Buffer Overflow in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to execute arbitrary code via exceptionally long HTTP methods or paths.
CVE-2025-6660 1 Pdf-xchange 3 Pdf-tools, Pdf-xchange Editor, Pdf-xchange Pro 2025-07-07 N/A
PDF-XChange Editor GIF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GIF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26763.
CVE-2024-48232 1 Mipjz Project 1 Mipjz 2025-07-07 4.9 Medium
An issue was found in mipjz 5.0.5. In the mipPost method of \app\setting\controller\ApiAdminTool.php, the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in a Server-side request forgery (SSRF) vulnerability that can read server files.
CVE-2024-48233 1 Mipjz Project 1 Mipjz 2025-07-07 4.8 Medium
mipjz 5.0.5 is vulnerable to Cross Site Scripting (XSS) in \app\setting\controller\ApiAdminSetting.php via the ICP parameter.
CVE-2024-48270 1 Misstt123 1 Oasys 2025-07-07 7.5 High
An issue in the component /logins of oasys v1.1 allows attackers to access sensitive information via a burst attack.
CVE-2024-4839 1 Lollms 1 Lollms-webui 2025-07-07 3.3 Low
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent.
CVE-2021-3186 1 Tenda 2 Ac5, Ac5 Firmware 2025-07-07 5.4 Medium
A Stored Cross-site scripting (XSS) vulnerability in /main.html Wifi Settings in Tenda AC5 AC1200 version V15.03.06.47_multi allows remote attackers to inject arbitrary web script or HTML via the Wifi Name parameter.
CVE-2020-28095 1 Tenda 2 Ac6, Ac6 Firmware 2025-07-07 7.5 High
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.
CVE-2019-16869 4 Canonical, Debian, Netty and 1 more 14 Ubuntu Linux, Debian Linux, Netty and 11 more 2025-07-07 7.5 High
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CVE-2024-48597 2 Angeljudesuarez, Online Clinic Management System Project 2 Online Clinic Management System, Online Clinic Management System 2025-07-07 8.1 High
Online Clinic Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /success/editp.php?action=edit.
CVE-2024-50986 1 Clementine-player 1 Clementine 2025-07-07 7.3 High
An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.
CVE-2024-51091 1 Seajs 1 Seajs 2025-07-07 5.4 Medium
Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package
CVE-2024-46450 1 Tenda 2 Ac6, Ac6 Firmware 2025-07-07 8.1 High
Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request.
CVE-2024-40503 1 Tenda 2 Ax12, Ax12 Firmware 2025-07-07 6.5 Medium
An issue in Tenda AX12 v.16.03.49.18_cn+ allows a remote attacker to cause a denial of service via the Routing functionality and ICMP packet handling.
CVE-2024-48192 1 Tenda 2 G3, G3 Firmware 2025-07-07 8 High
Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root
CVE-2024-40412 1 Tenda 2 Ax12, Ax12 Firmware 2025-07-07 6.8 Medium
Tenda AX12 v1.0 v22.03.01.46 contains a stack overflow in the deviceList parameter of the sub_42E410 function.
CVE-2024-51568 2 Cyber Panel, Cyberpanel 2 Cyber Panel, Cyberpanel 2025-07-07 10 Critical
CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters.
CVE-2024-50983 1 Getflightpath 1 Flightpath 2025-07-07 6.1 Medium
FlightPath 7.5 contains a Cross Site Scripting (XSS) vulnerability, which allows authenticated remote attackers with administrative rights to inject arbitrary JavaScript in the web browser of a user by including a malicious payload into the Last Name section in the Create/Edit Faculty/Staff User or Create/Edit Student User sections.