Export limit exceeded: 10325 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11393 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11393 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11417 | 1 Campcodes | 1 Advanced Online Voting System | 2025-10-09 | 6.3 Medium |
| A weakness has been identified in Campcodes Advanced Online Voting Management System 1.0. This vulnerability affects unknown code of the file /admin/voters_add.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11436 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 6.3 Medium |
| A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue. | ||||
| CVE-2025-11440 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 4.3 Medium |
| A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue. | ||||
| CVE-2025-2978 | 1 Wcms | 1 Wcms | 2025-10-09 | 6.3 Medium |
| A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument Upload leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3255 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 4.3 Medium |
| A vulnerability was found in xujiangfei admintwo 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /user/home. The manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3256 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 6.3 Medium |
| A vulnerability was found in xujiangfei admintwo 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/updateSet. The manipulation of the argument email leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-11470 | 2 Nikhil-bhalerao, Sourcecodester | 2 Hotel And Lodge Management System, Hotel And Lodge Management System | 2025-10-09 | 4.7 Medium |
| A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System up to 1.0. The impacted element is an unknown function of the file /manage_website.php. The manipulation of the argument website_image/back_login_image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2023-36404 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2025-10-08 | 5.5 Medium |
| Windows Kernel Information Disclosure Vulnerability | ||||
| CVE-2025-20366 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-10-08 | 6.5 Medium |
| In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs. | ||||
| CVE-2025-11026 | 2 Givanz, Vvveb | 2 Vvveb, Vvveb | 2025-10-08 | 3.5 Low |
| A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release." | ||||
| CVE-2025-0742 | 1 Thesamur | 1 Embedai | 2025-10-08 | 5.8 Medium |
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the "FILE_ID" of the endpoint "/embedai/files/show/<FILE_ID>". | ||||
| CVE-2025-0743 | 1 Thesamur | 1 Embedai | 2025-10-08 | 5.3 Medium |
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/<VISIT_ID>" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page. | ||||
| CVE-2025-0744 | 1 Thesamur | 1 Embedai | 2025-10-08 | 7.5 High |
| an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint. | ||||
| CVE-2025-59333 | 1 Executeautomation | 2 Mcp-database-server, Mcp Database Server | 2025-10-08 | 8.1 High |
| The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors. | ||||
| CVE-2025-6763 | 2 Comet System, Cometsystem | 30 H3531, P8510, P8552 and 27 more | 2025-10-08 | 8.1 High |
| A vulnerability was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. Affected by this issue is some unknown functionality of the file /setupA.cfg of the component Web-based Management Interface. Performing manipulation results in missing authentication. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. There are still doubts about whether this vulnerability truly exists. The vendor explains, that "[d]evices described at CVE are not intended to be exposed into internet and proper security of devices is to end-users." | ||||
| CVE-2025-0745 | 1 Thesamur | 1 Embedai | 2025-10-08 | 7.5 High |
| An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. | ||||
| CVE-2025-59932 | 2 Flagforge, Flagforgectf | 2 Flagforge, Flagforge | 2025-10-08 | 8.6 High |
| Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to create, modify, or delete resources on the platform. The issue has been fixed in FlagForge version 2.3.1. | ||||
| CVE-2024-36451 | 2 Gentoo, Webmin | 2 Webmin, Webmin | 2025-10-08 | 8.8 High |
| Improper handling of insufficient permissions or privileges vulnerability exists in ajaxterm module of Webmin prior to 2.003. If this vulnerability is exploited, a console session may be hijacked by an unauthorized user. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted. | ||||
| CVE-2024-36467 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 7.5 High |
| An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access. | ||||
| CVE-2025-27238 | 1 Zabbix | 1 Zabbix | 2025-10-08 | 3.5 Low |
| Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them. | ||||