Total
292441 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4088 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138. | |||||
| CVE-2025-39413 | 2025-05-02 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in David Gwyer Simple Sitemap – Create a Responsive HTML Sitemap.This issue affects Simple Sitemap – Create a Responsive HTML Sitemap: from n/a through 3.5.14. | |||||
| CVE-2025-24346 | 2025-05-02 | N/A | 7.5 HIGH | ||
| A vulnerability in the “Proxy” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to manipulate the “/etc/environment” file via a crafted HTTP request. | |||||
| CVE-2025-3910 | 2025-05-02 | N/A | 5.4 MEDIUM | ||
| A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | |||||
| CVE-2025-46344 | 2025-05-02 | N/A | N/A | ||
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1. | |||||
| CVE-2025-30389 | 2025-05-02 | N/A | 8.7 HIGH | ||
| Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-46347 | 2025-05-02 | N/A | N/A | ||
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4. | |||||
| CVE-2025-4118 | 2025-05-02 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as critical has been found in Weitong Mall 1.0.0. This affects an unknown part of the file /historyList of the component Product History Handler. The manipulation of the argument isDelete with the input 1 leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-24132 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the local network may cause an unexpected app termination. | |||||
| CVE-2025-32970 | 2025-05-02 | N/A | 6.1 MEDIUM | ||
| XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0. | |||||
| CVE-2025-4071 | 2025-05-02 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in PHPGurukul COVID19 Testing Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /test-details.php. The manipulation of the argument Status leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-32972 | 2025-05-02 | N/A | 2.7 LOW | ||
| XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. | |||||
| CVE-2025-22884 | 2025-05-02 | N/A | 7.8 HIGH | ||
| Delta Electronics ISPSoft version 3.20 is vulnerable to a Stack-Based buffer overflow vulnerability that could allow an attacker to execute arbitrary code when parsing DVP file. | |||||
| CVE-2025-4072 | 2025-05-02 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/edit-nurse.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. | |||||
| CVE-2025-4078 | 2025-05-02 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Wangshen SecGate 3600 2400. This issue affects some unknown processing of the file ?g=log_export_file. The manipulation of the argument file_name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-46560 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to inefficient list concatenation operations, the algorithm exhibits quadratic time complexity (O(n²)), allowing malicious actors to trigger resource exhaustion via specially crafted inputs. This issue has been patched in version 0.8.5. | |||||
| CVE-2025-4140 | 2025-05-02 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability, which was classified as critical, has been found in Netgear EX6120 1.0.3.94. Affected by this issue is the function sub_30394. The manipulation of the argument host leads to buffer overflow. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-40616 | 2025-05-02 | N/A | N/A | ||
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php. | |||||
| CVE-2022-42449 | 2025-05-02 | N/A | 4.6 MEDIUM | ||
| Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications | |||||
| CVE-2024-30115 | 2025-05-02 | N/A | 6.3 MEDIUM | ||
| Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget. | |||||