Search

Search Results (312630 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-59489 2025-10-03 7.4 High
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
CVE-2025-10708 1 Four-faith 1 Water Conservancy Informatization 2025-10-03 5.3 Medium
A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this vulnerability is an unknown functionality of the file /history/historyDownload.do;usrlogout.do. The manipulation of the argument fileName leads to path traversal. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2014-2358 1 Fox-it 1 Fox Datadiode 2025-10-03 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove administrative users, or (3) change permissions.
CVE-2025-61591 2025-10-03 8.8 High
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent. This can then be used to directly compromise the system by executing malicious commands with full user privileges. This issue does not currently have a fixed release version, but there is a patch, 2025.09.17-25b418f.
CVE-2025-61590 2025-10-03 7.5 High
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings (pretty similar to .vscode/settings.json) for the folders / project. An untitled workspace is automatically created by VS Code (untitled.code-workspace), which contains all the folders and workspace settings from the user's current session, opening up an entire new attack vector if the user has a .code-workspace file in path (either untitled created automatically or a saved one). If an attacker is able to hijack the chat context of the victim (such as via a compromised MCP server), they can use prompt injection to make the Cursor Agent write into this file and modify the workspace. This leads to a bypass of CVE-2025-54130 which can lead to RCE by writing to the settings section. This issue is fixed in version 1.7.
CVE-2025-56551 2025-10-03 N/A
An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request.
CVE-2025-43718 1 Poppler 1 Poppler 2025-10-03 2.9 Low
Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).
CVE-2021-42193 2025-10-03 N/A
nopCommerce 4.40.3 is vulnerable to XSS in the Product Name at /Admin/Product/Edit/[id]. Each time a user views the product in the shop, the XSS payload fires.
CVE-2014-2355 1 Ge 1 Intelligent Platforms Proficy Hmi\/scada Cimplicity 2025-10-03 N/A
The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.
CVE-2014-2354 1 Cogentdatahub 1 Cogent Datahub 2025-10-03 N/A
Cogent DataHub before 7.3.5 does not use a salt during password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.
CVE-2014-2353 1 Cogentdatahub 1 Cogent Datahub 2025-10-03 N/A
Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-2352 1 Cogentdatahub 1 Cogent Datahub 2025-10-03 N/A
The directory specifier can include designators that can be used to traverse the directory path. Exploiting this vulnerability may enable an attacker to access a limited number of hardcoded file types. Further exploitation of this vulnerability may allow an attacker to cause the web server component to enter a denial-of-service condition.
CVE-2014-2351 1 Controlsystemworks 1 Csworks 2025-10-03 N/A
SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests.
CVE-2025-10709 1 Four-faith 1 Water Conservancy Informatization 2025-10-03 5.3 Medium
A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform 1.0. Affected by this issue is some unknown functionality of the file /history/historyDownload.do;otheruserLogin.do;getfile. The manipulation of the argument fileName results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2014-2357 1 Subnet 1 Substation Server 2025-10-03 N/A
The GPT library in the Telegyr 8979 Master Protocol application in SUBNET SubSTATION Server 2 before SSNET 2.12 HF18808 allows remote attackers to cause a denial of service (persistent service crash) via a long RTU-to-Master message.
CVE-2025-56869 1 Sync-in 2 Server, Sync-in Server 2025-10-03 5.3 Medium
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in backend/src/applications/files/services/files-manager.service.ts.
CVE-2014-2356 1 Innominate 1 Mguard Firmware 2025-10-03 N/A
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.
CVE-2025-1244 1 Redhat 8 Enterprise Linux, Openshift Builds, Rhel Aus and 5 more 2025-10-03 8.8 High
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
CVE-2024-12747 1 Redhat 4 Discovery, Enterprise Linux, Openshift and 1 more 2025-10-03 5.6 Medium
A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.
CVE-2024-12243 1 Redhat 4 Discovery, Enterprise Linux, Openshift and 1 more 2025-10-03 5.3 Medium
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.