Export limit exceeded: 338422 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (338422 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5269 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2025-11-03 | 8.1 High |
| Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11. | ||||
| CVE-2025-5267 | 2 Mozilla, Redhat | 7 Firefox, Enterprise Linux, Rhel Aus and 4 more | 2025-11-03 | 5.4 Medium |
| A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | ||||
| CVE-2025-5266 | 2 Mozilla, Redhat | 7 Firefox, Enterprise Linux, Rhel Aus and 4 more | 2025-11-03 | 4.3 Medium |
| Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | ||||
| CVE-2025-5263 | 2 Mozilla, Redhat | 7 Firefox, Enterprise Linux, Rhel Aus and 4 more | 2025-11-03 | 4.3 Medium |
| Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | ||||
| CVE-2025-5054 | 1 Canonical | 2 Apport, Ubuntu Linux | 2025-11-03 | 4.7 Medium |
| Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces. When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1). | ||||
| CVE-2025-54798 | 1 Raszi | 2 Node-tmp, Tmp | 2025-11-03 | 2.5 Low |
| tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. | ||||
| CVE-2025-54769 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | 8.8 High |
| An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker. | ||||
| CVE-2025-54768 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | 5.3 Medium |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information. | ||||
| CVE-2025-54767 | 1 Xorux | 1 Lpar2rrd | 2025-11-03 | 6.5 Medium |
| An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user. | ||||
| CVE-2025-54766 | 1 Xorux | 2 Xormon, Xormon-ng | 2025-11-03 | 5.3 Medium |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information. | ||||
| CVE-2025-54765 | 1 Xorux | 2 Xormon, Xormon-ng | 2025-11-03 | 5.3 Medium |
| An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions. | ||||
| CVE-2025-53084 | 1 Wwbn | 1 Avideo | 2025-11-03 | 9 Critical |
| A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | ||||
| CVE-2025-52936 | 2025-11-03 | N/A | ||
| Improper Link Resolution Before File Access ('Link Following') vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2. | ||||
| CVE-2025-52497 | 2 Arm, Mbed | 2 Mbed Tls, Mbedtls | 2025-11-03 | 4.8 Medium |
| Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input. | ||||
| CVE-2025-52496 | 2 Arm, Mbed | 2 Mbed Tls, Mbedtls | 2025-11-03 | 7.8 High |
| Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery. | ||||
| CVE-2025-52361 | 1 Ak-nord | 1 Usb-server-lxl | 2025-11-03 | 7.8 High |
| Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script which is executed with root-privileges on any interaction and on every system boot. | ||||
| CVE-2025-52187 | 1 Getprojects | 1 Create School Management System | 2025-11-03 | 8.2 High |
| GetProjectsIdea Create School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in my_profile_update_form1.php. | ||||
| CVE-2025-50128 | 1 Wwbn | 1 Avideo | 2025-11-03 | 9.6 Critical |
| A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | ||||
| CVE-2025-50125 | 2025-11-03 | N/A | ||
| A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthenticated remote code execution when the server is accessed via the network with knowledge of hidden URLs and manipulation of host request header. | ||||
| CVE-2025-50124 | 2025-11-03 | N/A | ||
| A CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the server is accessed by a privileged account via a console and through exploitation of a setup script. | ||||