Export limit exceeded: 344013 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344013 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2008-0888 | 5 Apple, Canonical, Debian and 2 more | 5 Mac Os X, Ubuntu Linux, Debian Linux and 2 more | 2025-08-26 | N/A |
| The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data. | ||||
| CVE-2025-22495 | 2025-08-26 | 8.4 High | ||
| An improper input validation vulnerability was discovered in the NTP server configuration field of the Network-M2 card. This could result in an authenticated high privileged user having the ability to execute arbitrary commands. The vulnerability has been resolved in the version 3.0.4. Note - Network-M2 has been declared end-of-life in early 2024 and Network-M3 has been released as a fit-and-functional replacement. | ||||
| CVE-2025-22491 | 2025-08-26 | 6.7 Medium | ||
| The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest version 1.5.100 of the FRS. | ||||
| CVE-2024-31416 | 1 Eaton | 1 Foreseer Electrical Power Monitoring System | 2025-08-26 | 5.6 Medium |
| The Eaton Foreseer software provides multiple customizable input fields for the users to configure parameters in the tool like alarms, reports, etc. Some of these input fields were not checking the length and bounds of the entered value. The exploit of this security flaw by a bad actor may result in excessive memory consumption or integer overflow. | ||||
| CVE-2024-31415 | 1 Eaton | 1 Foreseer Electrical Power Monitoring System | 2025-08-26 | 6.3 Medium |
| The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration. | ||||
| CVE-2025-57768 | 1 Phproject | 1 Phproject | 2025-08-26 | N/A |
| Phproject is a high performance full-featured project management system. From 1.8.0 to before 1.8.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. When sending a POST request to /issues/new/, the value provided in the Planned Hours field is included in the server response without any HTML encoding or sanitization. Because of this, an attacker can craft a malicious payload such as <script>alert(1)</script> and include it in the planned_hours parameter. The server reflects the input directly in the HTML of the project creation page, causing the browser to interpret and execute it. This vulnerability is fixed in 1.8.3. | ||||
| CVE-2025-5514 | 1 Mitsubishi Electric | 1 Melsec Iq-f Series | 2025-08-26 | 5.3 Medium |
| Improper Handling of Length Parameter Inconsistency vulnerability in web server function on Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to delay the processing of the web server function and prevent legitimate users from utilizing the web server function, by sending a specially crafted HTTP request. | ||||
| CVE-2025-3456 | 1 Arista | 1 Eos | 2025-08-26 | 3.8 Low |
| On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships. | ||||
| CVE-2025-3478 | 1 Opentext | 1 Enterprise Security Manager | 2025-08-26 | N/A |
| A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited. | ||||
| CVE-2025-9416 | 1 Oitcode | 1 Samarium | 2025-08-26 | 2.4 Low |
| A security flaw has been discovered in oitcode samarium up to 0.9.6. This vulnerability affects unknown code of the file /cms/webpage/ of the component Pages Image Handler. The manipulation results in cross site scripting. The attack may be performed from a remote location. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-53119 | 1 Securden | 1 Unified Pam | 2025-08-26 | 7.5 High |
| An unauthenticated unrestricted file upload vulnerability allows an attacker to upload malicious binaries and scripts to the server. | ||||
| CVE-2025-6737 | 1 Securden | 1 Unified Pam | 2025-08-26 | 7.2 High |
| Securden’s Unified PAM Remote Vendor Gateway access portal shares infrastructure and access tokens across multiple tenants. A malicious actor can obtain authentication material and access the gateway server with low-privilege permissions. | ||||
| CVE-2025-53120 | 1 Securden | 1 Unified Pam | 2025-08-26 | 9.4 Critical |
| A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server’s configuration and web root directories, achieving remote code execution on the Unified PAM server. | ||||
| CVE-2025-53118 | 1 Securden | 1 Unified Pam | 2025-08-26 | 9.8 Critical |
| An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM. | ||||
| CVE-2024-52301 | 2 Debian, Laravel | 2 Debian Linux, Framework | 2025-08-26 | 7.5 High |
| Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs. | ||||
| CVE-2024-52589 | 1 Discourse | 1 Discourse | 2025-08-26 | 2.2 Low |
| Discourse is an open source platform for community discussion. Moderators can see the Screened emails list in the admin dashboard, and through that can learn the email of a user. This problem is patched in the latest version of Discourse. Users unable to upgrade should remove moderator role from untrusted users. | ||||
| CVE-2024-52794 | 1 Discourse | 1 Discourse | 2025-08-26 | 6.8 Medium |
| Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-53991 | 1 Discourse | 1 Discourse | 2025-08-26 | 7.5 High |
| Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade can either 1. Download all local backups on to another storage device, disable the `enable_backups` site setting and delete all backups until the site has been upgraded to pull in the fix. Or 2. Change the `backup_location` site setting to `s3` so that backups are stored and downloaded directly from S3. | ||||
| CVE-2024-56362 | 1 Navidrome | 1 Navidrome | 2025-08-26 | 7.1 High |
| Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1. | ||||
| CVE-2025-30353 | 2 Directus, Monospace | 2 Directus, Directus | 2025-08-26 | 8.6 High |
| Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. Version 11.5.0 fixes the issue. | ||||