Total
10465 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10768 | 1 H2o | 1 H2o | 2025-10-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connection_url causes deserialization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10769 | 1 H2o | 1 H2o | 2025-10-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connection_url leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10770 | 1 Jeecg | 1 Jimureport | 2025-10-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in jeecgboot JimuReport up to 2.1.2. This impacts an unknown function of the file /drag/onlDragDataSource/testConnection of the component MySQL JDBC Handler. Performing manipulation results in deserialization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |||||
| CVE-2025-10771 | 1 Jeecg | 1 Jimureport | 2025-10-08 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Affected is an unknown function of the file /drag/onlDragDataSource/testConnection of the component DB2 JDBC Handler. Executing manipulation of the argument clientRerouteServerListJNDIName can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-61768 | 2025-10-08 | N/A | N/A | ||
| KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file containing an external image reference, causing the server to initiate an outgoing connection to an arbitrary external URL. This can lead to information disclosure or internal network probing. Version 1.3.15 contains a fix for the issue. | |||||
| CVE-2025-52905 | 1 Totolink | 2 X6000r, X6000r Firmware | 2025-10-08 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207. | |||||
| CVE-2025-23268 | 1 Nvidia | 1 Triton Inference Server | 2025-10-08 | N/A | 8.0 HIGH |
| NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker may cause an improper input validation issue. A successful exploit of this vulnerability may lead to code execution. | |||||
| CVE-2024-22117 | 1 Zabbix | 1 Zabbix | 2025-10-08 | N/A | 2.2 LOW |
| When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element. | |||||
| CVE-2024-22120 | 1 Zabbix | 1 Zabbix | 2025-10-08 | N/A | 9.1 CRITICAL |
| Zabbix server can perform command execution for configured scripts. After command is executed, audit entry is added to "Audit Log". Due to "clientip" field is not sanitized, it is possible to injection SQL into "clientip" and exploit time based blind SQL injection. | |||||
| CVE-2025-11195 | 1 Rapid7 | 1 Appspider Pro | 2025-10-08 | N/A | 3.3 LOW |
| Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the uniqueness of project names when editing them outside the application in affected versions. This vulnerability was remediated in version 7.5.021 of the product. | |||||
| CVE-2025-59537 | 1 Argoproj | 1 Argo Cd | 2025-10-07 | N/A | 7.5 HIGH |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19. | |||||
| CVE-2025-55006 | 1 Frappe | 1 Learning | 2025-10-06 | N/A | 4.3 MEDIUM |
| Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0. | |||||
| CVE-2014-2360 | 1 Oleumtech | 2 Sensor Wireless I\/o Module, Wio Dh2 Wireless Gateway | 2025-10-06 | 5.0 MEDIUM | N/A |
| OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage. | |||||
| CVE-2025-34226 | 2025-10-06 | N/A | N/A | ||
| OpenPLC Runtime v3 contains an input validation flaw in the /upload-program-action endpoint: the epoch_time field supplied during program uploads is not validated and can be crafted to induce corruption of the programs database. After a successful malformed upload the runtime continues to operate until a restart; on restart the runtime can fail to start because of corrupted database entries, resulting in persistent denial of service requiring complete rebase of the product to recover. This vulnerability was remediated by commit 095ee09623dd229b64ad3a1db38a901a3772f6fc. | |||||
| CVE-2025-11273 | 2025-10-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in LaChatterie Verger up to 1.2.10. This impacts the function redirectToAuthorization of the file /src/main/services/mcp/oauth/provider.ts. The manipulation of the argument URL results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-23362 | 1 Qualcomm | 464 9205 Lte Modem, 9205 Lte Modem Firmware, Aqt1000 and 461 more | 2025-10-03 | N/A | 7.1 HIGH |
| Cryptographic issue while parsing RSA keys in COBR format. | |||||
| CVE-2014-2357 | 1 Subnet | 1 Substation Server | 2025-10-03 | 8.3 HIGH | N/A |
| The GPT library in the Telegyr 8979 Master Protocol application in SUBNET SubSTATION Server 2 before SSNET 2.12 HF18808 allows remote attackers to cause a denial of service (persistent service crash) via a long RTU-to-Master message. | |||||
| CVE-2025-57528 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-10-03 | N/A | 7.7 HIGH |
| An issue was discovered in Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01 allowing attackers to cause a denial of service via the funcname, funcpara1, funcpara2 parameters to the formSetCfm function (uri path: SetCfm). | |||||
| CVE-2025-5326 | 1 Zhilink | 1 Adp Application Developer Platform | 2025-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0 and classified as critical. Affected by this issue is some unknown functionality of the file /adpweb/wechat/verifyToken/. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5552 | 1 1000mz | 1 Chestnutcms | 2025-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in ChestnutCMS up to 15.1. It has been declared as critical. This vulnerability affects unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||