Search Results (14128 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-6983 1 Mudler 1 Localai 2025-07-10 N/A
mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system.
CVE-2018-9378 1 Google 1 Android 2025-07-10 6.2 Medium
In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2024-27766 1 Mariadb 1 Mariadb 2025-07-10 5.7 Medium
An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
CVE-2023-39593 1 Mariadb 1 Mariadb 2025-07-10 5.6 Medium
Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
CVE-2023-26785 1 Mariadb 1 Mariadb 2025-07-10 9.8 Critical
MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
CVE-2023-24954 1 Microsoft 14 Sharepoint Enterprise Server, Sharepoint Server, Windows 10 1507 and 11 more 2025-07-10 6.5 Medium
Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2023-24941 1 Microsoft 4 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 1 more 2025-07-10 9.8 Critical
Windows Network File System Remote Code Execution Vulnerability
CVE-2024-38109 1 Microsoft 1 Azure Health Bot 2025-07-10 9.1 Critical
An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.
CVE-2024-38206 1 Microsoft 1 Copilot Studio 2025-07-10 8.5 High
An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.
CVE-2024-38122 1 Microsoft 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more 2025-07-10 5.5 Medium
Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
CVE-2024-38118 1 Microsoft 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more 2025-07-10 5.5 Medium
Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
CVE-2023-35701 1 Apache 1 Hive 2025-07-10 6.6 Medium
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the vulnerability.  The attacker can setup a malicious HTTP server and specify a JDBC URL pointing towards this server. When a JDBC connection is attempted, the malicious HTTP server can provide a special response with customized payload that can trigger the execution of certain commands in the JDBC client.This issue affects Apache Hive: from 4.0.0-alpha-1 before 4.0.0. Users are recommended to upgrade to version 4.0.0, which fixes the issue.
CVE-2025-5887 1 Jsnjfz 1 Webstack-guns 2025-07-10 3.5 Low
A vulnerability was found in jsnjfz WebStack-Guns 1.0. It has been classified as problematic. Affected is an unknown function of the file UserMgrController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-41659 1 Usememos 1 Memos 2025-07-10 8.1 High
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.
CVE-2023-37230 1 Loftware 1 Spectrum 2025-07-10 8.8 High
Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.
CVE-2024-6344 1 Zkteco 1 Zkbiosecurity V5000 2025-07-10 2.4 Low
A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-3283 1 Mintplexlabs 1 Anythingllm 2025-07-09 N/A
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.
CVE-2024-0404 1 Mintplexlabs 1 Anythingllm 2025-07-09 N/A
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.
CVE-2023-48978 1 Ncr 1 Itm Web Terminal 2025-07-09 9.8 Critical
An issue in NCR ITM Web terminal v.4.4.0 and v.4.4.4 allows a remote attacker to execute arbitrary code via a crafted script to the IP camera URL component.
CVE-2025-6534 1 Xxyopen 1 Novel-plus 2025-07-09 4.2 Medium
A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.