Export limit exceeded: 331832 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (331832 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5753 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Valuation Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-44109 | 2025-07-25 | 5.4 Medium | ||
| A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages. | ||||
| CVE-2025-41683 | 1 Weidmueller | 3 Ie-sr-2tx-wl, Ie-sr-2tx-wl-4g-eu, Ie-sr-2tx-wl-4g-us-v | 2025-07-25 | 8.8 High |
| An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint event_mail_test). | ||||
| CVE-2025-7437 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 9.8 Critical |
| The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-7371 | 1 Okta | 1 On-premises Provisioning Agent | 2025-07-25 | 6.8 Medium |
| Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions. | ||||
| CVE-2025-4395 | 2025-07-25 | 6.8 Medium | ||
| Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | ||||
| CVE-2025-51865 | 2025-07-25 | 8.8 High | ||
| Ai2 playground web service (playground.allenai.org) LLM chat through 2025-06-03 is vulnerable to Insecure Direct Object Reference (IDOR), allowing attackers to gain sensitvie information via enumerating thread keys in the URL. | ||||
| CVE-2025-54297 | 1 Joomla | 1 Joomla | 2025-07-25 | N/A |
| A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered. | ||||
| CVE-2025-8021 | 2025-07-25 | 7.5 High | ||
| All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory. | ||||
| CVE-2025-4295 | 2025-07-25 | 4.6 Medium | ||
| Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025. | ||||
| CVE-2025-51862 | 2025-07-25 | 6.1 Medium | ||
| Insecure Direct Object Reference (IDOR) vulnerability in TelegAI (telegai.com) thru 2025-05-26 in its chat component. An attacker can exploit this IDOR to tamper other users' conversation. Additionally, malicious contents and XSS payloads can be injected, leading to phishing attack, user spoofing and account hijacking via XSS. | ||||
| CVE-2025-4394 | 2025-07-25 | 6.8 Medium | ||
| Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | ||||
| CVE-2025-4393 | 2025-07-25 | 6.5 Medium | ||
| Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | ||||
| CVE-2025-48733 | 2025-07-25 | 7.5 High | ||
| DuraComm SPM-500 DP-10iN-100-MU lacks access controls for a function that should require user authentication. This could allow an attacker to repeatedly reboot the device. | ||||
| CVE-2025-4294 | 2025-07-25 | 4.8 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HotelRunner B2B allows Cross-Site Scripting (XSS).This issue affects B2B: before 04.06.2025. | ||||
| CVE-2025-41425 | 2025-07-25 | 8.1 High | ||
| DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface. | ||||
| CVE-2025-8020 | 2025-07-25 | 8.2 High | ||
| All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code. | ||||
| CVE-2025-6261 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.4 Medium |
| The Fleetwire Fleet Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fleetwire_list shortcode in all versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6214 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.5 Medium |
| The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route’s permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-6174 | 1 Wordpress | 1 Wordpress | 2025-07-25 | 6.1 Medium |
| The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user. | ||||