Total
299941 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31673 | 1 Kliqqi | 1 Kliqqi Cms | 2025-06-17 | N/A | 9.8 CRITICAL |
| Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php via the userid parameter. | |||||
| CVE-2024-34467 | 1 Thinkphp | 1 Thinkphp | 2025-06-17 | N/A | 6.1 MEDIUM |
| ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl. | |||||
| CVE-2024-34468 | 1 Rukovoditel | 1 Rukovoditel | 2025-06-17 | N/A | 6.1 MEDIUM |
| Rukovoditel before 3.5.3 allows XSS via user_photo to My Page. | |||||
| CVE-2024-34469 | 1 Rukovoditel | 1 Rukovoditel | 2025-06-17 | N/A | 7.1 HIGH |
| Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. | |||||
| CVE-2024-34502 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-06-17 | N/A | 9.8 CRITICAL |
| An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token. | |||||
| CVE-2024-28521 | 1 Netentsec | 2 Application Security Gateway Firmware, Ns-asg | 2025-06-17 | N/A | 7.8 HIGH |
| SQL Injection vulnerability in Netcome NS-ASG Application Security Gateway v.6.3.1 allows a local attacker to execute arbitrary code and obtain sensitive information via a crafted script to the loginid parameter of the /singlelogin.php component. | |||||
| CVE-2024-28441 | 1 Magicflue | 1 Magicflue | 2025-06-17 | N/A | 9.8 CRITICAL |
| File Upload vulnerability in magicflue v.7.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the messageid parameter of the mail/mailupdate.jsp endpoint. | |||||
| CVE-2024-29273 | 1 Dzzoffice | 1 Dzzoffice | 2025-06-17 | N/A | 6.1 MEDIUM |
| There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document. | |||||
| CVE-2025-46567 | 1 Hiyouga | 1 Llama-factory | 2025-06-17 | N/A | 6.1 MEDIUM |
| LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torch.load()` on user-supplied `.bin` files from an input directory. An attacker can exploit this behavior by crafting a malicious `.bin` file that executes arbitrary commands during deserialization. This issue has been patched in version 1.0.0. | |||||
| CVE-2025-46568 | 1 Stirlingpdf | 1 Stirling Pdf | 2025-06-17 | N/A | 7.5 HIGH |
| Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside, allow the attachment of content from any webpage or local file to a PDF. This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected. This issue has been patched in version 0.45.0. | |||||
| CVE-2025-3517 | 1 Devolutions | 1 Devolutions Server | 2025-06-17 | N/A | 6.3 MEDIUM |
| Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updating the username. | |||||
| CVE-2025-4178 | 2 Microsoft, Xiaowei1118 | 2 Windows, Java Server | 2025-06-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/main/java/com/changyu/foryou/controller/FoodController.java of the component File Upload API. The manipulation leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | |||||
| CVE-2025-3927 | 1 Digigram | 1 Pyko-out | 2025-06-17 | N/A | 9.8 CRITICAL |
| Digigram's PYKO-OUT audio-over-IP (AoIP) web-server does not require a password by default, allowing any attacker with the target IP address to connect and compromise the device, potentially pivoting to connected network or hardware devices. | |||||
| CVE-2023-41099 | 1 Atos | 1 Eviden Cardos Api | 2025-06-17 | N/A | 7.8 HIGH |
| In the Windows installer in Atos Eviden CardOS API before 5.5.5.2811, Local Privilege Escalation can occur.(from a regular user to SYSTEM). | |||||
| CVE-2025-4215 | 2 Debian, Ublockorigin | 2 Debian Linux, Ublock Origin | 2025-06-17 | 2.6 LOW | 3.1 LOW |
| A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component. | |||||
| CVE-2025-4218 | 1 Andrewhhan | 1 Browserpilot | 2025-06-17 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in handrew browserpilot up to 0.2.51. It has been declared as critical. Affected by this vulnerability is the function GPTSeleniumAgent of the file browserpilot/browserpilot/agents/gpt_selenium_agent.py. The manipulation of the argument instructions leads to code injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-29366 | 1 Dlink | 2 Dir-845l, Dir-845l Firmware | 2025-06-17 | N/A | 8.8 HIGH |
| A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03. | |||||
| CVE-2025-21572 | 1 Oracle | 1 Opengrok | 2025-06-17 | N/A | 6.1 MEDIUM |
| OpenGrok 1.13.25 has a reflected Cross-Site Scripting (XSS) issue when producing the history view page. This happens through improper handling of path segments. The application reflects unsanitized user input into the HTML output. | |||||
| CVE-2024-58135 | 1 Mojolicious | 1 Mojolicious | 2025-06-17 | N/A | 5.3 MEDIUM |
| Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. | |||||
| CVE-2024-58134 | 1 Mojolicious | 1 Mojolicious | 2025-06-17 | N/A | 8.1 HIGH |
| Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. | |||||