Export limit exceeded: 44032 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44032 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49458 | 1 Zoom | 8 Meeting Software Development Kit, Rooms, Rooms Controller and 5 more | 2025-10-17 | 6.5 Medium |
| Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access. | ||||
| CVE-2025-57350 | 1 Keyangxiang | 1 Csvtojson | 2025-10-17 | 8.6 High |
| The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability in versions prior to 2.0.10. This issue arises due to insufficient sanitization of nested header names during the parsing process in the parser_jsonarray component. When processing CSV input containing specially crafted header fields that reference prototype chains (e.g., using __proto__ syntax), the application may unintentionally modify properties of the base Object prototype. This vulnerability can lead to denial of service conditions or unexpected behavior in applications relying on unmodified prototype chains, particularly when untrusted CSV data is processed. The flaw does not require user interaction beyond providing a maliciously constructed CSV file. | ||||
| CVE-2025-57330 | 1 Web3js | 1 Web3-core-subscriptions | 2025-10-17 | 7.5 High |
| The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57347 | 1 Tbo47 | 1 Dagre-d3-es | 2025-10-17 | 9.8 Critical |
| A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure. | ||||
| CVE-2025-57348 | 1 Node-cube | 1 Node-cube | 2025-10-17 | 6.5 Medium |
| The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date. | ||||
| CVE-2025-57349 | 1 Openjsf | 1 Messageformat | 2025-10-17 | 7.5 High |
| The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component. | ||||
| CVE-2025-57321 | 1 Magix-combine-ex Project | 1 Magix-combine-ex | 2025-10-17 | 9.8 Critical |
| A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57323 | 1 Regularjs | 1 Mpregular | 2025-10-17 | 7.5 High |
| mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEventHandler function of mpregular version 0.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-46656 | 1 Matthewwithanm | 1 Markdownify | 2025-10-16 | 2.9 Low |
| python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. | ||||
| CVE-2025-59944 | 2 Anysphere, Cursor | 2 Cursor, Cursor | 2025-10-16 | 8.1 High |
| Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7. | ||||
| CVE-2025-59938 | 2 Microsoft, Wazuh | 2 Windows, Wazuh | 2025-10-16 | 6.5 Medium |
| Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions starting from 3.8.0 to before 4.11.0, wazuh-analysisd is vulnerable to a heap buffer overflow when parsing XML elements from Windows EventChannel messages. This issue has been patched in version 4.11.0. | ||||
| CVE-2025-51495 | 1 Cesanta | 1 Mongoose | 2025-10-16 | 7.5 High |
| An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow. | ||||
| CVE-2025-57326 | 1 Sassdoc | 1 Sassdoc-extras | 2025-10-16 | 7.5 High |
| A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-11012 | 1 Behaviortree | 1 Behaviortree | 2025-10-16 | 5.3 Medium |
| A vulnerability was determined in BehaviorTree up to 4.7.0. This affects the function ParseScript of the file /src/script_parser.cpp of the component Diagnostic Message Handler. Executing manipulation of the argument error_msgs_buffer can lead to stack-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called cb6c7514efa628adb8180b58b4c9ccdebbe096e3. A patch should be applied to remediate this issue. | ||||
| CVE-2025-11014 | 2 Ogre3d, Ogrecave | 2 Ogre, Ogre | 2025-10-16 | 5.3 Medium |
| A security flaw has been discovered in OGRECave Ogre up to 14.4.1. This issue affects the function STBIImageCodec::encode of the file /ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp of the component Image Handler. The manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-57324 | 1 Parseplatform | 1 Parse Javascript Sdk | 2025-10-16 | 6.5 Medium |
| parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57320 | 1 Open-federation | 1 Json-schema-editor-visual | 2025-10-16 | 6.5 Medium |
| json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-57318 | 1 Pradeep-mishra | 1 Csvjson | 2025-10-16 | 7.5 High |
| A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence. | ||||
| CVE-2025-45587 | 1 Audi | 2 Universal Traffic Recorder, Universal Traffic Recorder Firmware | 2025-10-16 | 7 High |
| A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||||
| CVE-2024-45070 | 2 Openatom, Openharmony | 2 Openharmony, Openharmony | 2025-10-16 | 5.5 Medium |
| in OpenHarmony v4.1.2 and prior versions allow a local attacker cause information leak through out-of-bounds Read. | ||||