Export limit exceeded: 337503 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337503 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27709 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2025-06-16 | 8.3 High |
| Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the Service Account Auditing reports. | ||||
| CVE-2025-41444 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2025-06-16 | 8.3 High |
| Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module. | ||||
| CVE-2025-5971 | 1 Fabian | 1 School Fees Payment System | 2025-06-16 | 6.3 Medium |
| A vulnerability was found in code-projects School Fees Payment System 1.0. It has been classified as critical. This affects an unknown part of the file /ajx.php. The manipulation of the argument name_startsWith leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-24388 | 2025-06-16 | 3.8 Low | ||
| A vulnerability in the OTRS Admin Interface and Agent Interface (versions before OTRS 8) allow parameter injection due to for an autheniticated agent or admin user. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected | ||||
| CVE-2025-5979 | 1 Fabian | 1 School Fees Payment System | 2025-06-16 | 7.3 High |
| A vulnerability classified as critical has been found in code-projects School Fees Payment System 1.0. This affects an unknown part of the file /branch.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5980 | 1 Carmelogarcia | 1 Restaurant Order System | 2025-06-16 | 7.3 High |
| A vulnerability classified as critical was found in code-projects Restaurant Order System 1.0. This vulnerability affects unknown code of the file /order.php. The manipulation of the argument tabidNoti leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-40916 | 2025-06-16 | 9.1 Critical | ||
| Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha. That version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure. | ||||
| CVE-2025-31053 | 2025-06-16 | 7.7 High | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in quantumcloud KBx Pro Ultimate allows Path Traversal.This issue affects KBx Pro Ultimate: from n/a before 8.0.5. | ||||
| CVE-2025-0505 | 1 Arista | 1 Cloudvision Portal | 2025-06-16 | 10 Critical |
| On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain admin privileges on the CloudVision system, with more permissions than necessary, which can be used to query or manipulate system state for devices under management. Note that CloudVision as-a-Service is not affected. | ||||
| CVE-2025-5815 | 2025-06-16 | 5.3 Medium | ||
| The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging. | ||||
| CVE-2025-5288 | 2025-06-16 | 9.8 Critical | ||
| The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges. | ||||
| CVE-2024-38825 | 2025-06-16 | 6.4 Medium | ||
| The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted. | ||||
| CVE-2025-5485 | 2025-06-16 | 8.6 High | ||
| User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences. | ||||
| CVE-2025-4418 | 2025-06-16 | 4.4 Medium | ||
| An improper validation of integrity check value vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a way that causes the connector service to become unresponsive. | ||||
| CVE-2025-49589 | 2025-06-16 | N/A | ||
| PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack-based buffer overflow exists in the Kprintf_HLE function of PCSX2 versions up to 2.3.414. Opening a disc image that logs a specially crafted message may allow a remote attacker to execute arbitrary code if the user enabled IOP Console Logging. This vulnerability is fixed in 2.3.414. | ||||
| CVE-2025-4417 | 2025-06-16 | 5.5 Medium | ||
| A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages. | ||||
| CVE-2025-5484 | 2025-06-16 | 8.3 High | ||
| A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default password is well-known and common to all devices. Modification of the default password is not enforced during device setup. A malicious actor can retrieve device identifiers with either physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. | ||||
| CVE-2025-6029 | 2025-06-16 | N/A | ||
| Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack. Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified. | ||||
| CVE-2025-6012 | 2025-06-16 | 5.5 Medium | ||
| The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-5939 | 2025-06-16 | 4.4 Medium | ||
| The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||