Export limit exceeded: 336355 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336355 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6843 | 1 Webdigit | 2 Chatbot With Chatgpt, Chatbot With Chatgpt Wordpress | 2025-05-27 | 6.1 Medium |
| The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins | ||||
| CVE-2024-6847 | 2 Smartsearchwp, Webdigit | 2 Chatbot With Chatgpt Wordpress, Chatbot With Chatgpt | 2025-05-27 | 9.8 Critical |
| The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users when submitting messages to the chatbot. | ||||
| CVE-2024-48655 | 1 Totaljs | 2 Total.js, Total.js Cms | 2025-05-27 | 8.8 High |
| An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. | ||||
| CVE-2024-48191 | 2 Dingfangzu, Timgreen | 2 Dingfangzu, Dingfanzu Cms | 2025-05-27 | 6.3 Medium |
| dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=delAdmin&id=17 | ||||
| CVE-2024-48291 | 2 Dingfangzu, Timgreen | 2 Dingfangzu, Dingfanzu Cms | 2025-05-27 | 6.3 Medium |
| dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=editAdmin&id=17 | ||||
| CVE-2024-42835 | 1 Langflow | 1 Langflow | 2025-05-27 | 9.8 Critical |
| langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component. | ||||
| CVE-2025-4915 | 1 Phpgurukul | 1 Auto\/taxi Stand Management System | 2025-05-27 | 7.3 High |
| A vulnerability was found in PHPGurukul Auto Taxi Stand Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/auto-taxi-entry-detail.php. The manipulation of the argument price leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47935 | 2025-05-27 | 7.5 High | ||
| Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available. | ||||
| CVE-2024-51407 | 1 Projectfloodlight | 1 Floodlight | 2025-05-27 | 6.2 Medium |
| Floodlight SDN OpenFlow Controller v.1.2 has an issue that allows local hosts to construct false broadcast ports causing inter-host communication anomalies. | ||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-27 | 7.5 High |
| Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | ||||
| CVE-2023-38951 | 1 Zkteco | 1 Biotime | 2025-05-27 | 9.8 Critical |
| ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM. | ||||
| CVE-2022-32843 | 1 Apple | 2 Mac Os X, Macos | 2025-05-27 | 7.1 High |
| An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in Security Update 2022-005 Catalina, macOS Big Sur 11.6.8, macOS Monterey 12.5. Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory. | ||||
| CVE-2022-32832 | 1 Apple | 6 Ipados, Iphone Os, Mac Os X and 3 more | 2025-05-27 | 6.7 Medium |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 15.6 and iPadOS 15.6, macOS Big Sur 11.6.8, watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, Security Update 2022-005 Catalina. An app with root privileges may be able to execute arbitrary code with kernel privileges. | ||||
| CVE-2022-32807 | 1 Apple | 2 Mac Os X, Macos | 2025-05-27 | 7.1 High |
| This issue was addressed with improved file handling. This issue is fixed in Security Update 2022-005 Catalina, macOS Big Sur 11.6.8, macOS Monterey 12.5. An app may be able to overwrite arbitrary files. | ||||
| CVE-2022-28979 | 1 Liferay | 3 Digital Experience Platform, Dxp, Liferay Portal | 2025-05-27 | 6.1 Medium |
| Liferay Portal v7.1.0 through v7.4.2 and Liferay DXP 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 was discovered to contain a cross-site scripting (XSS) vulnerability in the Portal Search module's Custom Facet widget. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Parameter Name text field. | ||||
| CVE-2022-28802 | 1 Zapier | 1 Code By Zapier | 2025-05-27 | 8.8 High |
| Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.) | ||||
| CVE-2022-28722 | 1 Hp | 198 A7w93a, A7w93a Firmware, D3q15a and 195 more | 2025-05-27 | 9.8 Critical |
| Certain HP Print Products are potentially vulnerable to Buffer Overflow. | ||||
| CVE-2022-28721 | 1 Hp | 600 1g5m0a, 1g5m0a Firmware, 1k7k6a and 597 more | 2025-05-27 | 9.8 Critical |
| Certain HP Print Products are potentially vulnerable to Remote Code Execution. | ||||
| CVE-2023-7229 | 1 Evanliewer | 1 Illi Link Party\! | 2025-05-27 | 5.5 Medium |
| The illi Link Party! WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | ||||
| CVE-2023-7230 | 1 Evanliewer | 1 Illi Link Party\! | 2025-05-27 | 6.1 Medium |
| The illi Link Party! WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks. | ||||