Total
299262 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48993 | 2025-06-17 | N/A | N/A | ||
| Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27. | |||||
| CVE-2025-28991 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon allows PHP Local File Inclusion. This issue affects Evon: from n/a through 3.4. | |||||
| CVE-2025-33122 | 2025-06-17 | N/A | 7.5 HIGH | ||
| IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 could allow a user to gain elevated privileges due to an unqualified library call in IBM Advanced Job Scheduler for i. A malicious actor could cause user-controlled code to run with administrator privilege. | |||||
| CVE-2025-24773 | 2025-06-17 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. | |||||
| CVE-2025-34511 | 2025-06-17 | N/A | 8.8 HIGH | ||
| Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution. | |||||
| CVE-2025-36632 | 2025-06-17 | N/A | 7.8 HIGH | ||
| In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege. | |||||
| CVE-2025-49234 | 2025-06-17 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6. | |||||
| CVE-2025-32797 | 2025-06-17 | N/A | N/A | ||
| Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window. | |||||
| CVE-2025-48274 | 2025-06-17 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.3.2. | |||||
| CVE-2025-47867 | 2025-06-17 | N/A | 7.5 HIGH | ||
| A Local File Inclusion vulnerability in a Trend Micro Apex Central widget in versions below 8.0.6955 could allow an attacker to include arbitrary files to execute as PHP code and lead to remote code execution on affected installations. | |||||
| CVE-2025-6159 | 2025-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical was found in code-projects Hostel Management System 1.0. This vulnerability affects unknown code of the file /allocate_room.php. The manipulation of the argument search_box leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3880 | 2025-06-17 | N/A | 4.3 MEDIUM | ||
| The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected. | |||||
| CVE-2025-6196 | 2025-06-17 | N/A | 5.5 MEDIUM | ||
| A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like Tumbler, which may process malicious files automatically when browsing directories. While no direct remote attack vectors are confirmed, any application using libgepub to parse user-supplied EPUB content could be vulnerable to a denial of service. | |||||
| CVE-2025-6161 | 2025-06-17 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability, which was classified as critical, was found in SourceCodester Simple Food Ordering System 1.0. Affected is an unknown function of the file /editproduct.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-49415 | 2025-06-17 | N/A | 8.6 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Gallery allows Path Traversal. This issue affects FW Gallery: from n/a through 8.0.0. | |||||
| CVE-2025-49261 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.8. | |||||
| CVE-2025-49260 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora allows PHP Local File Inclusion. This issue affects Aora: from n/a through 1.3.9. | |||||
| CVE-2025-6141 | 2025-06-17 | 1.7 LOW | 3.3 LOW | ||
| A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-30562 | 2025-06-17 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdistillery Navigation Tree Elementor allows Blind SQL Injection. This issue affects Navigation Tree Elementor: from n/a through 1.0.1. | |||||
| CVE-2025-49871 | 2025-06-17 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Mutende Noptin allows Stored XSS. This issue affects Noptin: from n/a through 3.8.7. | |||||