Export limit exceeded: 334670 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (334670 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-48016 | 2025-05-21 | 4.3 Medium | ||
| OpenFlow discovery protocol can exhaust resources because it is not rate limited | ||||
| CVE-2025-4219 | 2025-05-21 | 6.4 Medium | ||
| The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-41426 | 2025-05-21 | 9.8 Critical | ||
| Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device. | ||||
| CVE-2025-48201 | 2025-05-21 | 8.6 High | ||
| The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | ||||
| CVE-2025-46412 | 2025-05-21 | 9.8 Critical | ||
| Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication. | ||||
| CVE-2025-1419 | 2025-05-21 | N/A | ||
| Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-48202 | 2025-05-21 | 5.3 Medium | ||
| The femanager extension through 8.2.1 for TYPO3 allows Insecure Direct Object Reference. | ||||
| CVE-2025-48018 | 2025-05-21 | 7.5 High | ||
| An authenticated user can modify application state data. | ||||
| CVE-2025-4364 | 2025-05-21 | N/A | ||
| The affected products could allow an unauthenticated attacker to access system information that could enable further access to sensitive files and obtain administrative credentials. | ||||
| CVE-2025-1421 | 2025-05-21 | N/A | ||
| Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by opening it in a tool such as Microsoft Excel. The attacker could gain remote access to the user's PC. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-1416 | 2025-05-21 | N/A | ||
| In Proget MDM, a low-privileged user can retrieve passwords for managed devices and subsequently use functionalities restricted by the MDM (Mobile Device Management). For it to happen, they must know the UUIDs of targetted devices, which might be obtained by exploiting CVE-2025-1415 or CVE-2025-1417. This issue has been fixed in 2.17.5 version of Konsola Proget (server part of the MDM suite). | ||||
| CVE-2025-48017 | 2025-05-21 | 9 Critical | ||
| Improper limitation of pathname in Circuit Provisioning and File Import applications allows modification and uploading of files | ||||
| CVE-2025-48015 | 2025-05-21 | 3.7 Low | ||
| Failed login response could be different depending on whether the username was local or central. | ||||
| CVE-2025-48014 | 2025-05-21 | 7.5 High | ||
| Password guessing limits could be bypassed when using LDAP authentication. | ||||
| CVE-2025-4221 | 2025-05-21 | 6.4 Medium | ||
| The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4217 | 2025-05-21 | 6.4 Medium | ||
| The WP YouTube Video Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ib_youtube' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5029 | 2025-05-21 | 5.4 Medium | ||
| A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-48207 | 2025-05-21 | 8.6 High | ||
| The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | ||||
| CVE-2025-48204 | 2025-05-21 | 6.8 Medium | ||
| The ns_backup extension through 13.0.0 for TYPO3 allows command injection. | ||||
| CVE-2025-48203 | 2025-05-21 | 6.4 Medium | ||
| The cs_seo extension through 9.2.0 for TYPO3 allows XSS. | ||||