Total
298033 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-49577 | 2025-06-16 | N/A | 6.5 MEDIUM | ||
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1. | |||||
| CVE-2025-49582 | 2025-06-16 | N/A | N/A | ||
| XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0. | |||||
| CVE-2025-6109 | 2025-06-16 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in javahongxi whatsmars 2021.4.0. It has been rated as problematic. Affected by this issue is the function initialize of the file /whatsmars-archetypes/whatsmars-initializr/src/main/java/org/hongxi/whatsmars/initializr/controller/InitializrController.java. The manipulation of the argument artifactId leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5238 | 2025-06-16 | N/A | 6.4 MEDIUM | ||
| The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-36041 | 2025-06-16 | N/A | 4.7 MEDIUM | ||
| IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1 through 3.5.3, and MQ Operator SC2 3.2.0 through 3.2.12 Native HA CRR could be configured with a private key and chain other than the intended key which could disclose sensitive information or allow the attacker to perform unauthorized actions. | |||||
| CVE-2025-49081 | 2025-06-16 | N/A | N/A | ||
| There is an insufficient input validation vulnerability in the warehouse component of Absolute Secure Access prior to server version 13.55. Attackers with system administrator permissions can impair the availability of the Secure Access administrative UI by writing invalid data to the warehouse over the network. The attack complexity is low, there are no attack requirements, privileges required are high, and there is no user interaction required. There is no impact on confidentiality or integrity; the impact on availability is high. | |||||
| CVE-2025-5930 | 2025-06-16 | N/A | 4.3 MEDIUM | ||
| The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-6065 | 2025-06-16 | N/A | 9.1 CRITICAL | ||
| The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2025-5337 | 2025-06-16 | N/A | 6.4 MEDIUM | ||
| The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-22854 | 2025-06-16 | N/A | N/A | ||
| Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions. | |||||
| CVE-2025-6172 | 2025-06-16 | N/A | N/A | ||
| Permission vulnerability in the mobile application (com.afmobi.boomplayer) may lead to the risk of unauthorized operation. | |||||
| CVE-2025-24922 | 2025-06-16 | N/A | 8.8 HIGH | ||
| A stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cv_object can lead to a arbitrary code execution. An attacker can issue an API call to trigger this vulnerability. | |||||
| CVE-2025-6031 | 2025-06-16 | N/A | 7.5 HIGH | ||
| Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification. We recommend customers discontinue usage of any remaining Amazon Cloud Cams. | |||||
| CVE-2025-28386 | 2025-06-16 | N/A | N/A | ||
| A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file. | |||||
| CVE-2025-44019 | 2025-06-16 | N/A | 7.1 HIGH | ||
| AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost. | |||||
| CVE-2025-45984 | 2025-06-16 | N/A | 9.8 CRITICAL | ||
| Blink routers BL-WR9000 V2.4.9, BL-AC1900 V1.0.2, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 V1.0.5, BL-LTE300 V1.2.3, BL-F1200_AT1 V1.0.0, BL-X26_AC8 V1.2.8, BLAC450M_AE4 V4.0.0 and BL-X26_DA3 V1.2.7 were discovered to contain a command injection vulnerability via the routepwd parameter in the sub_45B238 function. | |||||
| CVE-2025-46710 | 2025-06-16 | N/A | N/A | ||
| Possible kernel exceptions caused by reading and writing kernel heap data after free. | |||||
| CVE-2025-49579 | 2025-06-16 | N/A | 6.5 MEDIUM | ||
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1. | |||||
| CVE-2025-48825 | 2025-06-16 | N/A | 2.5 LOW | ||
| RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code. | |||||
| CVE-2025-6115 | 2025-06-16 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability was found in D-Link DIR-619L 2.06B01 and classified as critical. Affected by this issue is the function form_macfilter. The manipulation of the argument mac_hostname_%d/sched_name_%d leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||