Total
4157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3593 | 1 Zhenfeng13 | 1 My-blog-layui | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in ZHENFENG13/code-projects My-Blog-layui 1.0. It has been declared as critical. This vulnerability affects the function Upload of the file /admin/upload/authorImg/. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3585 | 1 Westboy | 1 Cicadascms | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in westboy CicadasCMS 1.0. This affects an unknown part of the file /upload/ of the component JSP Parser. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3580 | 2026-06-17 | N/A | 5.5 MEDIUM | ||
| An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | |||||
| CVE-2025-3566 | 2026-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, has been found in veal98 小牛肉 Echo 开源社区系统 4.2. This issue affects the function uploadMdPic of the file /discuss/uploadMdPic. The manipulation of the argument editormd-image-file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3565 | 1 Huanfenz | 1 Studentmanager | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in huanfenz/code-projects StudentManager 1.0. This vulnerability affects unknown code of the file /upload/uploadArticle.do of the component Announcement Management Section. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3558 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in ghostxbh uzy-ssm-mall 1.0.0. This affects an unknown part of the file /mall/user/uploadUserHeadImage. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3518 | 1 Unblu | 1 Spark | 2026-06-17 | N/A | 4.3 MEDIUM |
| It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern. | |||||
| CVE-2025-3410 | 1 Aias | 1 Aias | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in mymagicpower AIAS 20250308. This vulnerability affects unknown code of the file training_platform/train-platform/src/main/java/top/aias/training/controller/LocalStorageController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3398 | 1 Lenve | 1 Vblog | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function configure of the file blogserver/src/main/java/org/sang/config/WebSecurityConfig.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3325 | 1 Iteaj | 1 Iboot | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in iteaj iboot 物联网网关 1.1.3. This affects an unknown part of the file /core/admin/pwd of the component Admin Password Handler. The manipulation of the argument ID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3324 | 1 Godcheese | 1 Nimrod | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in godcheese/code-projects Nimrod 0.8. Affected by this issue is some unknown functionality of the file FileRestController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3305 | 1 1902756969 | 1 Ikun Library | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in 1902756969/code-projects IKUN_Library 1.0 and classified as problematic. This vulnerability affects the function addInterceptors of the file MvcConfig.java of the component Borrow Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3298 | 1 Oretnom23 | 1 Online Eyewear Shop | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /oews/classes/Master.php?f=save_product of the component Registration Handler. The manipulation of the argument email leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3256 | 1 Xujiangfei | 1 Admintwo | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in xujiangfei admintwo 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/updateSet. The manipulation of the argument email leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3255 | 1 Xujiangfei | 1 Admintwo | 2026-06-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in xujiangfei admintwo 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /user/home. The manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3244 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /add-admin.php of the component Create User Page. The manipulation of the argument Avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3237 | 1 Tenda | 2 Fh1202, Fh1202 Firmware | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been rated as critical. This issue affects some unknown processing of the file /goform/wrlwpsset. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3236 | 1 Tenda | 2 Fh1202, Fh1202 Firmware | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/VirSerDMZ of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3169 | 2026-06-17 | 4.6 MEDIUM | 5.0 MEDIUM | ||
| A vulnerability was found in Projeqtor up to 12.0.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tool/saveAttachment.php. The manipulation of the argument attachmentFiles leads to unrestricted upload. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 12.0.3 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains, that "this vulnerability can be exploited only on not securely installed instances, as it is adviced during product install: attachment directory should be out of web reach, so that even if executable file can be uploaded, it cannot be executed through the web." | |||||
| CVE-2025-3123 | 1 Wondercms | 1 Wondercms | 2026-06-17 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he philosophy has always been, admin [...] bear responsibility to not install themes/plugins from untrusted sources." | |||||