Total
298223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49427 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2025-06-16 | N/A | 7.5 HIGH |
| Buffer Overflow vulnerability in Tenda AX12 V22.03.01.46, allows remote attackers to cause a denial of service (DoS) via list parameter in SetNetControlList function. | |||||
| CVE-2023-46837 | 1 Xen | 1 Xen | 2025-06-16 | N/A | 3.3 LOW |
| Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient. | |||||
| CVE-2023-42887 | 1 Apple | 1 Macos | 2025-06-16 | N/A | 6.3 MEDIUM |
| An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.6.4, macOS Sonoma 14.2. An app may be able to read arbitrary files. | |||||
| CVE-2023-38610 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-06-16 | N/A | 7.1 HIGH |
| A memory corruption issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14, iOS 17 and iPadOS 17. An app may be able to cause unexpected system termination or write kernel memory. | |||||
| CVE-2023-35837 | 1 Solax | 2 Pocket Wifi 3, Pocket Wifi 3 Firmware | 2025-06-16 | N/A | 9.8 CRITICAL |
| An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. Authentication for web interface is completed via an unauthenticated WiFi AP. The administrative password for the web interface has a default password, equal to the registration ID of the device. This same registration ID is used as the WiFi SSID name. No routine is in place to force a change to this password on first use or bring its default state to the attention of the user. Once authenticated, an attacker can reconfigure the device or upload new firmware, both of which can lead to Denial of Service, code execution, or Escalation of Privileges. | |||||
| CVE-2023-32887 | 1 Mediatek | 38 Mt2735, Mt6813, Mt6833 and 35 more | 2025-06-16 | N/A | 7.5 HIGH |
| In Modem IMS Stack, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01161837; Issue ID: MOLY01161837 (MSV-892). | |||||
| CVE-2021-43584 | 1 Nagios | 1 Nagios Cross Platform Agent | 2025-06-16 | N/A | 4.8 MEDIUM |
| DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log. | |||||
| CVE-2025-45612 | 1 Exrick | 1 Xmall | 2025-06-16 | N/A | 9.8 CRITICAL |
| Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. | |||||
| CVE-2025-29602 | 1 Flatpress | 1 Flatpress | 2025-06-16 | N/A | 6.1 MEDIUM |
| flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories. | |||||
| CVE-2025-29746 | 1 Benjaminjonard | 1 Koillection | 2025-06-16 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components | |||||
| CVE-2025-6135 | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /insertNominee.php. The manipulation of the argument client_id/nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6134 | 2025-06-16 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /insertClient.php. The manipulation of the argument client_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2025-6087 | 2025-06-16 | N/A | N/A | ||
| A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint. This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. For example: https://victim-site.com/_next/image?url=https://attacker.com In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services. Impact: * SSRF via unrestricted remote URL loading * Arbitrary remote content loading * Potential internal service exposure or phishing risks through domain abuse Mitigation: The following mitigations have been put in place: * Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next * Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 * Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here: create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets. | |||||
| CVE-2025-32797 | 2025-06-16 | N/A | N/A | ||
| Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, The write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window. | |||||
| CVE-2024-25715 | 1 Glewlwyd Sso Server Project | 1 Glewlwyd Sso Server | 2025-06-16 | N/A | 6.1 MEDIUM |
| Glewlwyd SSO server 2.x through 2.7.6 allows open redirection via redirect_uri. | |||||
| CVE-2024-25712 | 1 Http-swagger Project | 1 Http-swagger | 2025-06-16 | N/A | 6.1 MEDIUM |
| http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded (via httpSwagger.WrapHandler and *webdav.memFile) can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because (if a solution continued to allow PUT requests) large files could have been blocked without blocking JavaScript, or JavaScript could have been blocked without blocking large files. | |||||
| CVE-2024-25679 | 1 Pquic | 1 Pquic | 2025-06-16 | N/A | 6.5 MEDIUM |
| In PQUIC before 5bde5bb, retention of unused initial encryption keys allows attackers to disrupt a connection with a PSK configuration by sending a CONNECTION_CLOSE frame that is encrypted via the initial key computed. Network traffic sniffing is needed as part of exploitation. | |||||
| CVE-2024-25677 | 1 Minbrowser | 1 Min | 2025-06-16 | N/A | 8.8 HIGH |
| In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document. | |||||
| CVE-2024-25453 | 1 Axiosys | 1 Bento4 | 2025-06-16 | N/A | 5.5 MEDIUM |
| Bento4 v1.6.0-640 was discovered to contain a NULL pointer dereference via the AP4_StszAtom::GetSampleSize() function. | |||||
| CVE-2024-25450 | 1 Enlightenment | 1 Imlib2 | 2025-06-16 | N/A | 8.8 HIGH |
| imlib2 v1.9.1 was discovered to mishandle memory allocation in the function init_imlib_fonts(). | |||||