Export limit exceeded: 342067 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342067 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12173 | 2 Winkm89, Wordpress | 2 Wp Admin Microblog, Wordpress | 2025-11-19 | 4.3 Medium |
| The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'wp-admin-microblog' page. This makes it possible for unauthenticated attackers to send messages on behalf of an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12691 | 2 Sayontan, Wordpress | 2 Photonic Gallery & Lightbox, Wordpress | 2025-11-19 | 6.4 Medium |
| The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | ||||
| CVE-2025-0351 | 2025-11-19 | N/A | ||
| Voluntarily withdrawn | ||||
| CVE-2025-65941 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65940 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65939 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65938 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65937 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65936 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65935 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65934 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-65933 | 2025-11-19 | N/A | ||
| Not used | ||||
| CVE-2025-34123 | 1 Videocharge | 1 Videocharge Studio | 2025-11-19 | N/A |
| A stack-based buffer overflow vulnerability exists in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC configuration file. The issue occurs due to improper handling of user-supplied data in the XML 'Name' attribute, leading to an SEH overwrite condition. An attacker can exploit this vulnerability by convincing a user to open a malicious .VSC file, resulting in arbitrary code execution under the context of the user. | ||||
| CVE-2025-34136 | 1 Commvault | 1 Commvault | 2025-11-19 | N/A |
| An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected. | ||||
| CVE-2025-34139 | 1 Sitecore | 4 Experience Commerce, Experience Manager, Experience Platform and 1 more | 2025-11-19 | N/A |
| A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. | ||||
| CVE-2025-34157 | 1 Coollabs | 1 Coolify | 2025-11-19 | 9.0 Critical |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | ||||
| CVE-2025-34159 | 1 Coollabs | 1 Coolify | 2025-11-19 | 8.8 High |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server. | ||||
| CVE-2025-34160 | 1 Aishu | 1 Anyshare Cloud | 2025-11-19 | N/A |
| AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The endpoint /api/ServiceAgent/start_service accepts user-supplied input via POST and fails to sanitize command-like payloads. An attacker can inject shell syntax that is interpreted by the backend, enabling arbitrary command execution. The vulnerability is presumed to affect builds released prior to August 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 UTC. | ||||
| CVE-2025-34161 | 1 Coollabs | 1 Coolify | 2025-11-19 | 8.8 High |
| Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise. | ||||
| CVE-2025-34267 | 1 Flowiseai | 1 Flowise | 2025-11-19 | 9.9 Critical |
| Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An authenticated attacker able to create or run a tool that leverages Puppeteer/Playwright can specify attacker-controlled browser binary paths and parameters. When the tool executes, the attacker-controlled executable/parameters are run on the host and circumvent the intended nodevm sandbox restrictions, resulting in execution of arbitrary code in the context of the host. This vulnerability was incorrectly assigned as a duplicate CVE-2025-26319 by the developers and should be considered distinct from that identifier. | ||||