Search Results (14145 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-30923 1 Derbynet 1 Derbynet 2025-11-04 9.8 Critical
SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering
CVE-2024-22899 1 Vinchin 1 Vinchin Backup And Recovery 2025-11-04 8.8 High
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.
CVE-2024-0510 1 Haokekeji 1 Yiqiniu 2025-11-04 7.3 High
A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Affected by this issue is the function http_post of the file /application/pay/controller/Api.php. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250652.
CVE-2023-51331 1 Phpjabbers 1 Cleaning Business Software 2025-11-04 6.5 Medium
PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2023-51324 1 Phpjabbers 1 Shared Asset Booking System 2025-11-04 6.5 Medium
PHPJabbers Shared Asset Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2023-51320 1 Phpjabbers 1 Night Club Booking Software 2025-11-04 5.3 Medium
PHPJabbers Night Club Booking Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.
CVE-2023-51317 1 Phpjabbers 1 Restaurant Booking System 2025-11-04 6.5 Medium
PHPJabbers Restaurant Booking System v3.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.
CVE-2023-49933 1 Schedmd 1 Slurm 2025-11-04 7.5 High
An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11, 23.02.7, and 23.11.1.
CVE-2025-2977 1 Gfi 1 Kerio Connect 2025-11-04 3.5 Low
A vulnerability was found in GFI KerioConnect 10.0.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-21988 1 Linux 1 Linux Kernel 2025-11-04 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: fs/netfs/read_collect: add to next->prev_donated If multiple subrequests donate data to the same "next" request (depending on the subrequest completion order), each of them would overwrite the `prev_donated` field, causing data corruption and a BUG() crash ("Can't donate prior to front").
CVE-2025-62523 1 Thm 1 Pilos 2025-11-04 6.3 Medium
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0
CVE-2024-38637 1 Linux 1 Linux Kernel 2025-11-04 5.5 Medium
In the Linux kernel, the following vulnerability has been resolved: greybus: lights: check return of get_channel_from_mode If channel for the given node is not found we return null from get_channel_from_mode. Make sure we validate the return pointer before using it in two of the missing places. This was originally reported in [0]: Found by Linux Verification Center (linuxtesting.org) with SVACE. [0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru
CVE-2025-0708 1 Fumiao 1 Opencms 2025-11-04 3.5 Low
A vulnerability was found in fumiao opencms 2.2. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/model/addOrUpdate of the component Add Model Management Page. The manipulation of the argument 模板前缀 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-8178 1 Freebsd 1 Freebsd 2025-11-04 9.3 Critical
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
CVE-2024-35136 1 Ibm 1 Db2 2025-11-04 5.3 Medium
IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) federated server 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query under certain non default conditions. IBM X-Force ID: 291307.
CVE-2024-31882 1 Ibm 1 Db2 2025-11-04 5.3 Medium
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to a denial of service, under specific non default configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user. IBM X-Force ID: 287614.
CVE-2023-46303 1 Calibre-ebook 1 Calibre 2025-11-04 7.5 High
link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.
CVE-2023-32559 2 Nodejs, Redhat 4 Node.js, Nodejs, Enterprise Linux and 1 more 2025-11-04 7.5 High
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2019-9621 1 Synacor 1 Zimbra Collaboration Suite 2025-11-04 7.5 High
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
CVE-2024-9394 2 Mozilla, Redhat 9 Firefox, Firefox Esr, Thunderbird and 6 more 2025-11-03 6.1 Medium
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.