Export limit exceeded: 329676 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (329676 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-9844 | 1 Sap | 1 Netweaver | 2025-05-02 | 7.5 High |
| SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of Visual Composer deserializes a malicious object that may cause legitimate users accessing a service, either by crashing or flooding the service. | ||||
| CVE-2022-37912 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2025-05-02 | 7.2 High |
| Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | ||||
| CVE-2022-37903 | 1 Arubanetworks | 12 7005, 7008, 7010 and 9 more | 2025-05-02 | 7.2 High |
| A vulnerability exists that allows an authenticated attacker to overwrite an arbitrary file with attacker-controlled content via the web interface. Successful exploitation of this vulnerability could lead to full compromise the underlying host operating system. | ||||
| CVE-2022-37902 | 1 Arubanetworks | 12 7005, 7008, 7010 and 9 more | 2025-05-02 | 7.2 High |
| Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | ||||
| CVE-2022-24309 | 1 Mendix | 1 Mendix | 2025-05-02 | 6.8 Medium |
| A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data. | ||||
| CVE-2016-1585 | 1 Canonical | 1 Apparmor | 2025-05-02 | 9.8 Critical |
| In all versions of AppArmor mount rules are accidentally widened when compiled. | ||||
| CVE-2022-44622 | 1 Jetbrains | 1 Teamcity | 2025-05-02 | 2.7 Low |
| In JetBrains TeamCity version between 2021.2 and 2022.10 access permissions for secure token health items were excessive | ||||
| CVE-2025-3301 | 2025-05-02 | N/A | ||
| DPA countermeasures are unavailable for ECDH key agreement and EdDSA signing operations on Curve25519 and Curve448 on all Series 2 modules and SoCs due to a lack of hardware and software support. A successful DPA attack may result in exposure of confidential information. The best practice is to use the impacted crypto curves and operations with ephemeral keys to reduce the number of DPA traces that can be collected. | ||||
| CVE-2025-32777 | 2025-05-02 | N/A | ||
| Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege escalation, because Volcano users may run their Elastic service and extender plugins in separate pods or nodes from the scheduler. In the Kubernetes security model, node isolation is a security boundary, and as such an attacker is able to cross that boundary in Volcano's case if they have compromised either the vulnerable services or the pod/node in which they are deployed. The scheduler will become unavailable to other users and workloads in the cluster. The scheduler will either crash with an unrecoverable OOM panic or freeze while consuming excessive amounts of memory. This issue has been patched in versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2. | ||||
| CVE-2025-3953 | 2025-05-02 | 6.5 Medium | ||
| The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings. | ||||
| CVE-2025-4076 | 2025-05-02 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function easy_uci_set_option_string_0 of the file /cgi-bin/lighttpd.cgi of the component Password Handler. The manipulation of the argument routepwd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4075 | 2025-05-02 | 4.3 Medium | ||
| A vulnerability was found in VMSMan up to 20250416. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Email with the input "><script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27532 | 2025-05-02 | 6.5 Medium | ||
| A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests. | ||||
| CVE-2025-23181 | 2025-05-02 | 8 High | ||
| CWE-250: Execution with Unnecessary Privileges | ||||
| CVE-2025-23180 | 2025-05-02 | 8 High | ||
| CWE-250: Execution with Unnecessary Privileges | ||||
| CVE-2025-24348 | 2025-05-02 | 5.4 Medium | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request. | ||||
| CVE-2025-24347 | 2025-05-02 | 6.5 Medium | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request. | ||||
| CVE-2025-24344 | 2025-05-02 | 6.3 Medium | ||
| A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request. | ||||
| CVE-2025-23179 | 2025-05-02 | 5.5 Medium | ||
| CWE-798: Use of Hard-coded Credentials | ||||
| CVE-2025-23178 | 2025-05-02 | 7.6 High | ||
| CWE-923: Improper Restriction of Communication Channel to Intended Endpoints | ||||