Total
3245 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0422 | 3 Canonical, Opensuse, Oracle | 4 Ubuntu Linux, Opensuse, Jdk and 1 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue. | |||||
| CVE-2012-5076 | 2 Oracle, Suse | 2 Jre, Linux Enterprise Desktop | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS. | |||||
| CVE-2012-4681 | 2 Oracle, Redhat | 6 Jdk, Jre, Enterprise Linux Desktop and 3 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. | |||||
| CVE-2012-1723 | 2 Oracle, Redhat | 8 Jdk, Jre, Enterprise Linux Desktop and 5 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | |||||
| CVE-2011-3544 | 4 Canonical, Oracle, Redhat and 1 more | 6 Ubuntu Linux, Jdk, Jre and 3 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. | |||||
| CVE-2016-3427 | 8 Apache, Canonical, Debian and 5 more | 38 Cassandra, Ubuntu Linux, Debian Linux and 35 more | 2025-10-22 | 10.0 HIGH | 9.8 CRITICAL |
| Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. | |||||
| CVE-2015-4902 | 4 Opensuse, Oracle, Redhat and 1 more | 21 Leap, Opensuse, Jdk and 18 more | 2025-10-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment. | |||||
| CVE-2025-57567 | 2025-10-21 | N/A | 9.1 CRITICAL | ||
| A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands. | |||||
| CVE-2025-60305 | 1 Senior-walter | 1 Online Student Clearance System | 2025-10-21 | N/A | 8.8 HIGH |
| SourceCodester Online Student Clearance System 1.0 is vulnerable to Incorrect Access Control. The application contains a logic flaw which allows low privilege users can forge high privileged sessions and perform sensitive operations. | |||||
| CVE-2025-27258 | 1 Ericsson | 1 Network Manager | 2025-10-21 | N/A | 9.8 CRITICAL |
| Ericsson Network Manager (ENM) versions prior to ENM 25.1 GA contain a vulnerability, if exploited, can result in an escalation of privilege. | |||||
| CVE-2025-45618 | 1 Huangjian888 | 1 Jeeweb-mybatis-springboot | 2025-10-21 | N/A | 6.5 MEDIUM |
| Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload. | |||||
| CVE-2025-2334 | 1 274056675 | 1 Springboot-openai-chatgpt | 2025-10-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-51529 | 1 Followmedarling | 1 Cookies And Content Security Policy | 2025-10-21 | N/A | 5.3 MEDIUM |
| Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Policy plugin through version 2.29 allows remote attackers to cause a denial of service (database server resource exhaustion) via unlimited database write operations to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint. | |||||
| CVE-2025-55630 | 1 Reolink | 2 Smart 2k\+ Plug-in Wi-fi Video Doorbell With Chime, Smart 2k\+ Plug-in Wi-fi Video Doorbell With Chime Firmware | 2025-10-21 | N/A | 7.3 HIGH |
| A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate existing accounts. | |||||
| CVE-2025-0402 | 1 1902756969 | 1 Reggie | 2025-10-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in 1902756969 reggie 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/itheima/reggie/controller/CommonController.java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0403 | 1 1902756969 | 1 Reggie | 2025-10-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in 1902756969 reggie 1.0. Affected by this issue is some unknown functionality of the file /user/sendMsg of the component Phone Number Validation Handler. The manipulation of the argument code leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-11660 | 1 Oranbyte | 1 School Management System | 2025-10-20 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Affected by this issue is some unknown functionality of the file /assets/uploadSllyabus.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. | |||||
| CVE-2025-58724 | 1 Microsoft | 1 Azure Connected Machine Agent | 2025-10-20 | N/A | 7.8 HIGH |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47989 | 1 Microsoft | 1 Azure Connected Machine Agent | 2025-10-20 | N/A | 7.0 HIGH |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-25004 | 1 Microsoft | 17 Powershell, Windows 10 1507, Windows 10 1607 and 14 more | 2025-10-20 | N/A | 7.3 HIGH |
| Improper access control in Microsoft PowerShell allows an authorized attacker to elevate privileges locally. | |||||