Total
291504 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1056 | 2025-04-23 | 6.1 Medium | ||
| Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location. Axis has released a patched version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | ||||
| CVE-2025-1732 | 2025-04-23 | 6.7 Medium | ||
| An improper privilege management vulnerability in the recovery function of the USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. | ||||
| CVE-2025-1950 | 1 Ibm | 1 Power Hardware Management Console | 2025-04-23 | 9.3 Critical |
| IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source. | ||||
| CVE-2025-2092 | 2025-04-23 | N/A | ||
| Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p29, <2.2.0p41 and <=2.1.0p49 (EOL) causes remote site authentication secrets to be written to log files accessible to administrators. | ||||
| CVE-2025-2298 | 2025-04-23 | N/A | ||
| An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files. Affected versions: * Any version of Dremio below 24.0.0 * Dremio 24.3.0 - 24.3.16 * Dremio 25.0.0 - 25.0.14 * Dremio 25.1.0 - 25.1.7 * Dremio 25.2.0 - 25.2.4 Fixed in version: * Dremio 24.3.17 and above * Dremio 25.0.15 and above * Dremio 25.1.8 and above * Dremio 25.2.5 and above * Dremio 26.0.0 and above | ||||
| CVE-2025-23175 | 2025-04-23 | 6.1 Medium | ||
| Multiple XSS (CWE-79) | ||||
| CVE-2025-23253 | 2025-04-23 | 2.5 Low | ||
| NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | ||||
| CVE-2025-26159 | 2025-04-23 | 6.1 Medium | ||
| Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inject malicious JavaScript code in the name field. | ||||
| CVE-2025-26413 | 2025-04-23 | N/A | ||
| Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | ||||
| CVE-2025-27086 | 2025-04-23 | 8.1 High | ||
| A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication. | ||||
| CVE-2025-27907 | 1 Ibm | 1 Websphere Application Server | 2025-04-23 | 4.1 Medium |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | ||||
| CVE-2025-28031 | 2025-04-23 | 6.5 Medium | ||
| TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a hardcoded password for the telnet service in product.ini. | ||||
| CVE-2025-28038 | 2025-04-23 | 9.8 Critical | ||
| TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setWebWlanIdx function through the webWlanIdx parameter. | ||||
| CVE-2025-28102 | 2025-04-23 | 6.1 Medium | ||
| A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost. | ||||
| CVE-2025-28103 | 2025-04-23 | N/A | ||
| Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request. | ||||
| CVE-2025-28367 | 2025-04-23 | 6.5 Medium | ||
| mojoPortal <=2.9.0.1 is vulnerable to Directory Traversal via BetterImageGallery API Controller - ImageHandler Action. An attacker can exploit this vulnerability to access the Web.Config file and obtain the MachineKey. | ||||
| CVE-2025-2839 | 2025-04-23 | 6.4 Medium | ||
| The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-29446 | 2025-04-23 | N/A | ||
| open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. | ||||
| CVE-2025-29621 | 2025-04-23 | 7.3 High | ||
| Francois Jacquet RosarioSIS v12.0.0 was discovered to contain a content spoofing vulnerability in the Theme configuration under the My Preferences module. This vulnerability allows attackers to manipulate application settings. | ||||
| CVE-2025-29659 | 2025-04-23 | 9.8 Critical | ||
| Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. | ||||