Export limit exceeded: 336870 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (336870 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4076 | 2025-05-02 | 6.3 Medium | ||
| A vulnerability classified as critical has been found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function easy_uci_set_option_string_0 of the file /cgi-bin/lighttpd.cgi of the component Password Handler. The manipulation of the argument routepwd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-4075 | 2025-05-02 | 4.3 Medium | ||
| A vulnerability was found in VMSMan up to 20250416. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Email with the input "><script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27532 | 2025-05-02 | 6.5 Medium | ||
| A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests. | ||||
| CVE-2025-23181 | 2025-05-02 | 8 High | ||
| CWE-250: Execution with Unnecessary Privileges | ||||
| CVE-2025-23180 | 2025-05-02 | 8 High | ||
| CWE-250: Execution with Unnecessary Privileges | ||||
| CVE-2025-24348 | 2025-05-02 | 5.4 Medium | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request. | ||||
| CVE-2025-24347 | 2025-05-02 | 6.5 Medium | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request. | ||||
| CVE-2025-24344 | 2025-05-02 | 6.3 Medium | ||
| A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request. | ||||
| CVE-2025-23179 | 2025-05-02 | 5.5 Medium | ||
| CWE-798: Use of Hard-coded Credentials | ||||
| CVE-2025-23178 | 2025-05-02 | 7.6 High | ||
| CWE-923: Improper Restriction of Communication Channel to Intended Endpoints | ||||
| CVE-2025-27611 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-05-02 | 7.5 High |
| base-x is a base encoder and decoder of any given alphabet using bitcoin style leading zero compression. Versions 4.0.0, 5.0.0, and all prior to 3.0.11, are vulnerable to attackers potentially deceiving users into sending funds to an unintended address. This issue has been patched in versions 3.0.11, 4.0.1, and 5.0.1. | ||||
| CVE-2025-46552 | 2025-05-02 | N/A | ||
| KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2. | ||||
| CVE-2025-4078 | 2025-05-02 | 4.3 Medium | ||
| A vulnerability, which was classified as problematic, has been found in Wangshen SecGate 3600 2400. This issue affects some unknown processing of the file ?g=log_export_file. The manipulation of the argument file_name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47154 | 2025-05-02 | 9 Critical | ||
| LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a pre-alpha state, and only suitable for use by developers." | ||||
| CVE-2025-24350 | 2025-05-02 | 7.1 High | ||
| A vulnerability in the “Certificates and Keys” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary certificates in arbitrary file system paths via a crafted HTTP request. | ||||
| CVE-2025-24349 | 2025-05-02 | 7.1 High | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to delete the configuration of physical network interfaces via a crafted HTTP request. | ||||
| CVE-2025-24345 | 2025-05-02 | 6.3 Medium | ||
| A vulnerability in the “Hosts” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the “hosts” file in an unintended manner via a crafted HTTP request. | ||||
| CVE-2025-24343 | 2025-05-02 | 5.4 Medium | ||
| A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request. | ||||
| CVE-2025-24342 | 2025-05-02 | 5.3 Medium | ||
| A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests. | ||||
| CVE-2025-24341 | 2025-05-02 | 6.5 Medium | ||
| A vulnerability in the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to induce a Denial-of-Service (DoS) condition on the device via multiple crafted HTTP requests. In the worst case, a full power cycle is needed to regain control of the device. | ||||