Export limit exceeded: 344069 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344069 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66021 | 1 Owasp | 1 Java Html Sanitizer | 2025-12-30 | 6.1 Medium |
| OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | ||||
| CVE-2025-66575 | 1 Veepn | 1 Veepn | 2025-12-30 | 7.8 High |
| VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem. | ||||
| CVE-2024-6060 | 1 Phloc | 1 Webscopes | 2025-12-30 | N/A |
| An information disclosure vulnerability in Phloc Webscopes 7.0.0 allows local attackers with access to the log files to view logged HTTP requests that contain user passwords or other sensitive information. | ||||
| CVE-2025-65239 | 2 Opencode, Opencode Systems | 2 Ussd Gateway, Ussd Gateway | 2025-12-30 | 4.3 Medium |
| Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | ||||
| CVE-2025-26155 | 2 Microsoft, Ncp-e | 5 Windows, Ncp Secure Entry Client, Secure Client and 2 more | 2025-12-30 | 9.8 Critical |
| NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability. | ||||
| CVE-2025-13742 | 1 Pretix | 1 Pretix | 2025-12-30 | 6.1 Medium |
| Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing. | ||||
| CVE-2025-65681 | 1 Edly | 1 Tutor | 2025-12-30 | 3.3 Low |
| An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | ||||
| CVE-2025-65276 | 2 Hashtech Project, Henzljw | 2 Hashtech, Hashtech | 2025-12-30 | 9.8 Critical |
| An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation. | ||||
| CVE-2025-65278 | 2 Grocerymart Project, Komal97 | 2 Grocerymart, Grocerymart | 2025-12-30 | 7.5 High |
| An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | ||||
| CVE-2025-40934 | 2 Perl, Xml\ | 2 Xml::sig, \ | 2025-12-30 | 9.3 Critical |
| XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures. | ||||
| CVE-2025-12106 | 1 Openvpn | 1 Openvpn | 2025-12-30 | 9.1 Critical |
| Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | ||||
| CVE-2025-55129 | 2 Aquaplatform, Revive | 2 Revive Adserver, Adserver | 2025-12-30 | N/A |
| HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne users, such as itz_hari_ and khoof. | ||||
| CVE-2023-54290 | 2025-12-30 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2023-54256 | 2025-12-30 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2023-54212 | 2025-12-30 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2023-54103 | 2025-12-30 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2023-54054 | 2025-12-30 | 7.0 High | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2022-50831 | 2025-12-30 | N/A | ||
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2024-58323 | 1 Kentico | 1 Xperience | 2025-12-30 | 5.4 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder. | ||||
| CVE-2024-58322 | 1 Kentico | 1 Xperience | 2025-12-30 | 5.4 Medium |
| A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers. | ||||