Total
299400 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49879 | 2025-06-17 | N/A | 8.6 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho allows Path Traversal. This issue affects Litho: from n/a through 3.0. | |||||
| CVE-2025-49253 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. | |||||
| CVE-2025-49257 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through 1.3.8. | |||||
| CVE-2025-49125 | 2025-06-17 | N/A | 7.5 HIGH | ||
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | |||||
| CVE-2025-24761 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK allows PHP Local File Inclusion. This issue affects DSK: from n/a through 2.2. | |||||
| CVE-2025-0320 | 2025-06-17 | N/A | N/A | ||
| Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Secure Access Client for Windows | |||||
| CVE-2025-49862 | 2025-06-17 | N/A | 5.9 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store allows Stored XSS. This issue affects Ebook Store: from n/a through 5.8008. | |||||
| CVE-2025-49877 | 2025-06-17 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileGrid allows Server Side Request Forgery. This issue affects ProfileGrid : from n/a through 5.9.5.2. | |||||
| CVE-2025-32800 | 2025-06-17 | N/A | N/A | ||
| Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository. | |||||
| CVE-2025-31919 | 2025-06-17 | N/A | 9.8 CRITICAL | ||
| Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7. | |||||
| CVE-2025-49156 | 2025-06-17 | N/A | 7.0 HIGH | ||
| A link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalation privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-49875 | 2025-06-17 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IfSo Dynamic Content If-So Dynamic Content Personalization allows Stored XSS. This issue affects If-So Dynamic Content Personalization: from n/a through 1.9.3.1. | |||||
| CVE-2025-48993 | 2025-06-17 | N/A | N/A | ||
| Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27. | |||||
| CVE-2025-28991 | 2025-06-17 | N/A | 8.1 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon allows PHP Local File Inclusion. This issue affects Evon: from n/a through 3.4. | |||||
| CVE-2025-33122 | 2025-06-17 | N/A | 7.5 HIGH | ||
| IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 could allow a user to gain elevated privileges due to an unqualified library call in IBM Advanced Job Scheduler for i. A malicious actor could cause user-controlled code to run with administrator privilege. | |||||
| CVE-2025-24773 | 2025-06-17 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. | |||||
| CVE-2025-34511 | 2025-06-17 | N/A | 8.8 HIGH | ||
| Sitecore PowerShell Extensions, an add-on to Sitecore Experience Manager (XM) and Experience Platform (XP), through version 7.0 is vulnerable to an unrestricted file upload issue. A remote, authenticated attacker can upload arbitrary files to the server using crafted HTTP requests, resulting in remote code execution. | |||||
| CVE-2025-36632 | 2025-06-17 | N/A | 7.8 HIGH | ||
| In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege. | |||||
| CVE-2025-49234 | 2025-06-17 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6. | |||||
| CVE-2025-32797 | 2025-06-17 | N/A | N/A | ||
| Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window. | |||||