Vulnerabilities (CVE)

Filtered by CWE-20
Total 11567 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-26170 1 Microsoft 7 Windows 10 21h2, Windows 10 22h2, Windows 11 21h2 and 4 more 2026-06-17 N/A 7.8 HIGH
Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability
CVE-2024-26164 1 Microsoft 1 Django Backend 2026-06-17 N/A 8.8 HIGH
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
CVE-2024-26151 1 Felixschwarz 1 Mjml-python 2026-06-17 N/A 8.2 HIGH
The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. All users of `FelixSchwarz/mjml-python` who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `&lt;script&gt;` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue. As a workaround, ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML.
CVE-2024-26127 1 Adobe 1 Experience Manager 2026-06-17 N/A 3.5 LOW
Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction.
CVE-2024-26126 1 Adobe 1 Experience Manager 2026-06-17 N/A 3.5 LOW
Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction.
CVE-2024-26002 1 Phoenixcontact 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more 2026-06-17 N/A 7.8 HIGH
An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific files.
CVE-2024-25999 1 Phoenixcontact 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more 2026-06-17 N/A 8.4 HIGH
An unauthenticated local attacker can perform a privilege escalation due to improper input validation in the OCPP agent service. 
CVE-2024-25997 1 Phoenixcontact 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more 2026-06-17 N/A 5.3 MEDIUM
An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is affected.
CVE-2024-25995 1 Phoenixcontact 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more 2026-06-17 N/A 9.8 CRITICAL
An unauthenticated remote attacker can modify configurations to perform a remote code execution, gain root rights or perform an DoS due to improper input validation.
CVE-2024-25974 1 Frentix 1 Openolat 2026-06-17 N/A 5.4 MEDIUM
The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. It is possible to upload files within the Media Center of OpenOlat version 18.1.5 (or lower) as an authenticated user without any other rights. Although the filetypes are limited, an SVG image containing an XSS payload can be uploaded. After a successful upload the file can be shared with groups of users (including admins) who can be attacked with the JavaScript payload.
CVE-2024-25973 1 Frentix 1 Openolat 2026-06-17 N/A 5.4 MEDIUM
The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog (sub-category) can enter unfiltered input in the name field. In addition, attackers who are allowed to create curriculums can also enter unfiltered input in the name field. This allows an attacker to execute stored JavaScript code with the permissions of the victim in the context of the user's browser.
CVE-2024-25970 1 Dell 1 Powerscale Onefs 2026-06-17 N/A 6.5 MEDIUM
Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an improper input validation vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to loss of integrity.
CVE-2024-25942 1 Dell 50 Nx3230, Nx3230 Firmware, Nx3330 and 47 more 2026-06-17 N/A 4.4 MEDIUM
Dell PowerEdge Server BIOS contains an Improper SMM communication buffer verification vulnerability. A physical high privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.
CVE-2024-25743 2026-06-17 N/A 7.1 HIGH
In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.
CVE-2024-25656 2026-06-17 N/A 5.9 MEDIUM
Improper input validation in AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS can result in unauthenticated CPE (Customer Premises Equipment) devices storing arbitrarily large amounts of data during registration. This can potentially lead to DDoS attacks on the application database and, ultimately, affect the entire product.
CVE-2024-25641 2 Cacti, Fedoraproject 2 Cacti, Fedora 2026-06-17 N/A 9.1 CRITICAL
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
CVE-2024-25590 2026-06-17 N/A 7.5 HIGH
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
CVE-2024-25583 2026-06-17 N/A 7.5 HIGH
A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.
CVE-2024-25581 2026-06-17 N/A 7.5 HIGH
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.
CVE-2024-25571 2026-06-17 N/A 2.3 LOW
Improper input validation in some Intel(R) SPS firmware before SPS_E5_06.01.04.059.0 may allow a privileged user to potentially enable denial of service via local access.