Export limit exceeded: 336654 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336654 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1112 | 1 Angusj | 1 Resource Hacker | 2025-05-29 | 7.3 High |
| Heap-based buffer overflow vulnerability in Resource Hacker, developed by Angus Johnson, affecting version 3.6.0.92. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument. | ||||
| CVE-2024-0219 | 1 Progress | 1 Telerik Justdecompile | 2025-05-29 | 7.8 High |
| In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component. In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system. | ||||
| CVE-2023-5390 | 1 Honeywell | 4 Controledge Unit Operations Controller, Controledge Unit Operations Controller Firmware, Controledge Virtual Unit Operations Controller and 1 more | 2025-05-29 | 5.3 Medium |
| An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. | ||||
| CVE-2024-1111 | 1 Rems | 1 Qr Code Login System | 2025-05-29 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in SourceCodester QR Code Login System 1.0. Affected by this issue is some unknown functionality of the file add-user.php. The manipulation of the argument qr-code leads to cross site scripting. The attack may be launched remotely. VDB-252470 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-1115 | 1 Openbi | 1 Openbi | 2025-05-29 | 7.3 High |
| A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252473 was assigned to this vulnerability. | ||||
| CVE-2024-1117 | 1 Openbi | 1 Openbi | 2025-05-29 | 7.3 High |
| A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252475. | ||||
| CVE-2024-23651 | 1 Mobyproject | 1 Buildkit | 2025-05-29 | 8.7 High |
| BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options. | ||||
| CVE-2024-24571 | 1 Facilemanager | 1 Facilemanager | 2025-05-29 | 5.4 Medium |
| facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation. | ||||
| CVE-2025-5286 | 2025-05-29 | 6.4 Medium | ||
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5276 | 2025-05-29 | 7.4 High | ||
| All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. An attacker can craft a prompt that, once accessed by the MCP host, can invoke the webpage-to-markdown, bing-search-to-markdown, and youtube-to-markdown tools to issue requests and read the responses to attacker-controlled URLs, potentially leaking sensitive information. | ||||
| CVE-2025-5122 | 2025-05-29 | 6.4 Medium | ||
| The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-48045 | 2025-05-29 | N/A | ||
| An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user credentials. | ||||
| CVE-2025-4687 | 2025-05-29 | N/A | ||
| In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7. | ||||
| CVE-2025-32802 | 1 Redhat | 1 Enterprise Linux | 2025-05-29 | 6.1 Medium |
| Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | ||||
| CVE-2025-32801 | 1 Redhat | 1 Enterprise Linux | 2025-05-29 | 7.8 High |
| Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | ||||
| CVE-2025-5273 | 2025-05-29 | 6.5 Medium | ||
| All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server. | ||||
| CVE-2025-48047 | 2025-05-29 | N/A | ||
| An authenticated user can perform command injection via unsanitized input to the NetFax Server’s ping functionality via the /test.php endpoint. | ||||
| CVE-2025-4583 | 2025-05-29 | 5.4 Medium | ||
| The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-32803 | 1 Redhat | 1 Enterprise Linux | 2025-05-29 | 4 Medium |
| In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | ||||
| CVE-2023-6402 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2025-05-29 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in PHPGurukul Nipah Virus Testing Management System 1.0. This affects an unknown part of the file add-phlebotomist.php. The manipulation of the argument empid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246423. | ||||