Total
298223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6139 | 2025-06-16 | 3.7 LOW | 3.9 LOW | ||
| A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-49134 | 2025-06-16 | N/A | N/A | ||
| Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12. | |||||
| CVE-2025-47951 | 2025-06-16 | N/A | 4.9 MEDIUM | ||
| Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12. | |||||
| CVE-2025-32800 | 2025-06-16 | N/A | N/A | ||
| Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository. | |||||
| CVE-2009-2631 | 4 Aladdin, Cisco, Sonicwall and 1 more | 5 Safenet Securewire Access Gateway, Adaptive Security Appliance, E-class Ssl Vpn and 2 more | 2025-06-16 | 6.8 MEDIUM | N/A |
| Multiple clientless SSL VPN products that run in web browsers, including Stonesoft StoneGate; Cisco ASA; SonicWALL E-Class SSL VPN and SonicWALL SSL VPN; SafeNet SecureWire Access Gateway; Juniper Networks Secure Access; Nortel CallPilot; Citrix Access Gateway; and other products, when running in configurations that do not restrict access to the same domain as the VPN, retrieve the content of remote URLs from one domain and rewrite them so they originate from the VPN's domain, which violates the same origin policy and allows remote attackers to conduct cross-site scripting attacks, read cookies that originated from other domains, access the Web VPN session to gain access to internal resources, perform key logging, and conduct other attacks. NOTE: it could be argued that this is a fundamental design problem in any clientless VPN solution, as opposed to a commonly-introduced error that can be fixed in separate implementations. Therefore a single CVE has been assigned for all products that have this design | |||||
| CVE-2024-37289 | 1 Trendmicro | 1 Apex One | 2025-06-16 | N/A | 7.8 HIGH |
| An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-3638 | 1 Moodle | 1 Moodle | 2025-06-16 | N/A | 8.8 HIGH |
| A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk. | |||||
| CVE-2025-46654 | 1 Hackmdio | 1 Codimd | 2025-06-16 | N/A | 4.9 MEDIUM |
| CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file. | |||||
| CVE-2024-36304 | 1 Trendmicro | 1 Apex One | 2025-06-16 | N/A | 7.8 HIGH |
| A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One and Apex One as a Service agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2025-45236 | 1 86dbs | 1 Dbsyncer | 2025-06-16 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Nickname parameter. | |||||
| CVE-2025-45237 | 1 86dbs | 1 Dbsyncer | 2025-06-16 | N/A | 7.5 HIGH |
| Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. | |||||
| CVE-2025-29573 | 1 Jupo | 1 Mezzanine | 2025-06-16 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module. | |||||
| CVE-2025-45607 | 1 Liaoxuefeng | 1 Itranswarp | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request. | |||||
| CVE-2025-6137 | 2025-06-16 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability classified as critical has been found in TOTOLINK T10 4.1.8cu.5207. Affected is the function setWiFiScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument desc leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6136 | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4748 | 2025-06-16 | N/A | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed. This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4. | |||||
| CVE-2024-23900 | 1 Jenkins | 1 Matrix Project | 2025-06-16 | N/A | 4.3 MEDIUM |
| Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. | |||||
| CVE-2024-23740 | 1 Getkap | 1 Kap | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | |||||
| CVE-2024-22076 | 1 Myq-solution | 1 Print Server | 2025-06-16 | N/A | 9.8 CRITICAL |
| MyQ Print Server before 8.2 patch 43 allows remote authenticated administrators to execute arbitrary code via PHP scripts that are reached through the administrative interface. | |||||
| CVE-2023-49549 | 1 Cesanta | 1 Mjs | 2025-06-16 | N/A | 7.5 HIGH |
| An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_getretvalpos function in the msj.c file. | |||||