Search Results (14105 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-5604 1 Asgaros 1 Asgaros Forum 2025-06-05 9.8 Critical
The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.
CVE-2024-48070 1 Weaver 1 E-cology 2025-06-05 9.8 Critical
An issue in Weaver E-cology v. attackers construct special requests to insert remote malicious code and to trigger malicious code execution, and control server privileges
CVE-2023-49094 1 Sentry 1 Symbolicator 2025-06-05 4.3 Medium
Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2.
CVE-2024-5407 1 Saltos 1 Rhinos 2025-06-05 10 Critical
A vulnerability in RhinOS 3.0-1190 could allow PHP code injection through the "search" parameter in /portal/search.htm. This vulnerability could allow a remote attacker to perform a reverse shell on the remote system, compromising the entire infrastructure.
CVE-2022-23088 1 Freebsd 1 Freebsd 2025-06-04 9.8 Critical
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
CVE-2024-25940 1 Freebsd 1 Freebsd 2025-06-04 6.3 Medium
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to. In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
CVE-2025-22204 1 Regularlabs 1 Sourcerer 2025-06-04 9.8 Critical
Improper control of generation of code in the sourcerer extension for Joomla in versions before 11.0.0 lead to a remote code execution vulnerability.
CVE-2025-4839 1 Itwanger 1 Paicoding 2025-06-04 3.1 Low
A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
CVE-2025-4852 1 Totolink 2 A3002r, A3002r Firmware 2025-06-04 2.4 Low
A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-3937 4 Blackberry, Linux, Microsoft and 1 more 5 Qnx, Linux Kernel, Windows and 2 more 2025-06-04 7.7 High
Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
CVE-2022-3010 1 Priva 1 Top Control Suite 2025-06-04 7.5 High
The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite.
CVE-2024-12348 1 Jpress 1 Jpress 2025-06-04 3.5 Low
A vulnerability was found in Guizhou Xiaoma Technology jpress 5.1.2. It has been classified as problematic. Affected is the function AttachmentUtils.isUnSafe of the file /commons/attachment/upload of the component Attachment Upload Handler. The manipulation of the argument files[] leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-48907 1 Sematell 1 Replyone 2025-06-04 7.5 High
Sematell ReplyOne 7.4.3.0 allows SSRF via the application server API.
CVE-2024-23746 2 Apple, Miro 2 Macos, Miro 2025-06-04 9.8 Critical
Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).
CVE-2024-23741 3 Apple, Hyper, Vercel 3 Macos, Hyper, Hyper 2025-06-03 9.8 Critical
An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
CVE-2024-21673 1 Atlassian 2 Confluence Data Center, Confluence Server 2025-06-03 8.8 High
This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives ).
CVE-2022-2912 1 Craw-data Project 1 Craw-data 2025-06-03 4.3 Medium
The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF).
CVE-2024-0946 1 60indexpage Project 1 60indexpage 2025-06-03 7.3 High
A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. This vulnerability affects unknown code of the file /apply/index.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252190 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5135 1 Project Team 1 Tmall Demo 2025-06-03 2.4 Low
A vulnerability, which was classified as problematic, has been found in Tmall Demo up to 20250505. Affected by this issue is some unknown functionality of the file /tmall/admin/ of the component Product Details Page. The manipulation of the argument Product Name/Product Title leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5134 1 Project Team 1 Tmall Demo 2025-06-03 3.5 Low
A vulnerability classified as problematic was found in Tmall Demo up to 20250505. Affected by this vulnerability is an unknown functionality of the component Buy Item Page. The manipulation of the argument Detailed Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.