Export limit exceeded: 343222 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343222 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-25447 | 1 Orientdb | 1 Orientdb | 2026-04-07 | 4.3 Medium |
| OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface. | ||||
| CVE-2019-25446 | 1 Digit-rs | 1 Digit Centris | 2026-04-07 | 8.2 High |
| DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information. | ||||
| CVE-2019-25445 | 1 Phpscriptsmall | 1 Fiverr Clone Script | 2026-04-07 | 6.1 Medium |
| Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft URLs with script tags in the keyword parameter of search-results.php to execute arbitrary JavaScript in users' browsers. | ||||
| CVE-2019-25444 | 1 Phpscriptsmall | 1 Fiverr Clone Script | 2026-04-07 | 9.1 Critical |
| Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. Attackers can supply malicious SQL syntax in the page parameter to extract sensitive database information or modify database contents. | ||||
| CVE-2019-25443 | 1 Edlangley | 1 Inventory-webapp | 2026-04-07 | 8.2 High |
| Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands. | ||||
| CVE-2019-25442 | 1 Webwiz | 1 Web Wiz Forums | 2026-04-07 | 7.5 High |
| Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information. | ||||
| CVE-2019-25441 | 1 Kostasmitroglou | 1 Thesystem | 2026-04-07 | 9.8 Critical |
| thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication. | ||||
| CVE-2019-25440 | 1 Webincorp | 1 Webincorp Erp | 2026-04-07 | 8.2 High |
| WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information. | ||||
| CVE-2019-25439 | 1 Novismart | 1 Novismart Cms | 2026-04-07 | 8.2 High |
| NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service. | ||||
| CVE-2019-25438 | 2 Agilebio, Labcollector | 2 Labcollector, Labcollector | 2026-04-07 | 7.5 High |
| LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication. | ||||
| CVE-2019-25437 | 1 Foscam | 1 Foscam Video Management System | 2026-04-07 | 6.2 Medium |
| Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 5000-character buffer into the UID parameter during device addition to trigger an application crash when the Login Check function is invoked. | ||||
| CVE-2019-25436 | 1 Sricam | 1 Deviceviewer | 2026-04-07 | 6.5 Medium |
| Sricam DeviceViewer 3.12.0.1 contains a password change security bypass vulnerability that allows authenticated users to change passwords without proper validation of the old password field. Attackers can inject a large payload into the old password parameter during the change password process to bypass validation and set an arbitrary new password. | ||||
| CVE-2019-25435 | 1 Sricam | 1 Deviceviewer | 2026-04-07 | 7.8 High |
| Sricam DeviceViewer 3.12.0.1 contains a local buffer overflow vulnerability in the user management add user function that allows authenticated attackers to execute arbitrary code by bypassing data execution prevention. Attackers can inject a malicious payload through the Username field in User Management to trigger a stack-based buffer overflow and execute commands via ROP chain gadgets. | ||||
| CVE-2019-25434 | 1 Nsasoft | 2 Nsauditor Spotauditor, Spotauditor | 2026-04-07 | 7.5 High |
| SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. Attackers can enter a large string of characters (5000 bytes or more) in the name field during registration to trigger an unhandled exception that crashes the application. | ||||
| CVE-2019-25433 | 1 Xoops | 1 Xoops | 2026-04-07 | 8.2 High |
| XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract sensitive database information. | ||||
| CVE-2019-25432 | 2 Part-db, Part-db Project | 2 Part-db, Part-db | 2026-04-07 | 7.5 High |
| Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to bypass credential validation and gain unauthorized access to the application. | ||||
| CVE-2019-25431 | 1 Delpino73 | 1 Blue-smiley-organizer | 2026-04-07 | 8.2 High |
| delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through POST requests to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements. | ||||
| CVE-2019-25391 | 1 Ashopsoftware | 1 Ashop Shopping Cart Software | 2026-04-07 | 8.2 High |
| Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract sensitive database information. | ||||
| CVE-2019-25366 | 1 Microasp | 1 Microasp (portal+) Cms | 2026-04-07 | 8.2 High |
| microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name. | ||||
| CVE-2019-25321 | 2 Internet-soft, Softpedia | 2 Ftp Navigator, Ftp Navigator | 2026-04-07 | 9.8 Critical |
| FTP Navigator 8.03 contains a stack overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) registers. Attackers can craft a malicious payload that triggers a buffer overflow when pasted into the Custom Command textbox, enabling remote code execution and launching the calculator as proof of concept. | ||||