Total
292426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46619 | 2025-05-02 | N/A | 7.6 HIGH | ||
| A security issue has been discovered in Couchbase Server before 7.6.4 and fixed in v.7.6.4 and v.7.2.7 for Windows that could allow unauthorized access to sensitive files. Depending on the level of privileges, this vulnerability may grant access to files such as /etc/passwd or /etc/shadow. | |||||
| CVE-2025-45011 | 2025-05-02 | N/A | 5.3 MEDIUM | ||
| A HTML Injection vulnerability was discovered in the foreigner-search.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary code via the searchdata POST request parameter. | |||||
| CVE-2025-4087 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10. | |||||
| CVE-2025-4114 | 2025-05-02 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability classified as critical has been found in Netgear JWNR2000v2 1.0.0.11. Affected is the function check_language_file. The manipulation of the argument host leads to buffer overflow. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-0716 | 2025-05-02 | N/A | 4.8 MEDIUM | ||
| Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | |||||
| CVE-2023-45721 | 2025-05-02 | N/A | 5.3 MEDIUM | ||
| Insufficient default configuration in HCL Leap allows anonymous access to directory information. | |||||
| CVE-2025-32971 | 2025-05-02 | N/A | 3.8 LOW | ||
| XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1. | |||||
| CVE-2025-4139 | 2025-05-02 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability classified as critical was found in Netgear EX6120 1.0.0.68. Affected by this vulnerability is the function fwAcosCgiInbound. The manipulation of the argument host leads to buffer overflow. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4148 | 2025-05-02 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability was found in Netgear EX6200 1.0.3.94 and classified as critical. Affected by this issue is the function sub_503FC. The manipulation of the argument host leads to buffer overflow. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-24348 | 2025-05-02 | N/A | 5.4 MEDIUM | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the wireless network configuration file via a crafted HTTP request. | |||||
| CVE-2025-4141 | 2025-05-02 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability, which was classified as critical, was found in Netgear EX6200 1.0.3.94. This affects the function sub_3C03C. The manipulation of the argument host leads to buffer overflow. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-4086 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138. | |||||
| CVE-2025-46346 | 2025-05-02 | N/A | N/A | ||
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of `<script>` tags, but does not account for payloads obfuscated using JavaScript block comments like `/* JavaScriptPayload */`. This issue has been patched in version 4.5.4. | |||||
| CVE-2025-24347 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the “Network Interfaces” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to manipulate the network configuration file via a crafted HTTP request. | |||||
| CVE-2025-40618 | 2025-05-02 | N/A | N/A | ||
| SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php | |||||
| CVE-2025-3599 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| Symantec Endpoint Protection Windows Agent, running an ERASER Engine prior to 119.1.7.8, may be susceptible to an Elevation of Privilege vulnerability, which may allow an attacker to delete resources that are normally protected from an application or user. | |||||
| CVE-2025-45956 | 2025-05-02 | N/A | N/A | ||
| A SQL injection vulnerability in manage_damage.php in Sourcecodester Computer Laboratory Management System v1.0 allows an authenticated attacker to execute arbitrary SQL commands via the "id" parameter | |||||
| CVE-2025-24339 | 2025-05-02 | N/A | 5.0 MEDIUM | ||
| A vulnerability in the web application of ctrlX OS allows a remote unauthenticated attacker to conduct various attacks against users of the vulnerable system, including web cache poisoning or Man-in-the-Middle (MitM), via a crafted HTTP request. | |||||
| CVE-2025-4144 | 2025-05-02 | N/A | N/A | ||
| PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped. Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 Impact: PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection. | |||||
| CVE-2025-4065 | 2025-05-02 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in ScriptAndTools Online-Travling-System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/addadvertisement.php. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||