Total
306815 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36272 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A buffer overflow vulnerability exists in the usbip.cgi set_info() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-47093 | 1 Nagvis | 1 Nagvis | 2025-08-21 | N/A | 8.8 HIGH |
| Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS | |||||
| CVE-2024-25569 | 2 Fedoraproject, Malaterre | 2 Fedora, Grassroots Dicom | 2025-08-21 | N/A | 6.5 MEDIUM |
| An out-of-bounds read vulnerability exists in the RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of-bounds read. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2024-21797 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-34166 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 10.0 CRITICAL |
| An os command injection vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted set of HTTP requests can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2024-34544 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A command injection vulnerability exists in the wireless.cgi AddMac() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-36258 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 10.0 CRITICAL |
| A stack-based buffer overflow vulnerability exists in the touchlist_sync.cgi touchlistsync() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2024-38666 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39273 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.0 CRITICAL |
| A firmware update vulnerability exists in the fw_check.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary firmware update. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | |||||
| CVE-2024-39280 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39288 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A buffer overflow vulnerability exists in the internet.cgi set_add_routing() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39294 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A buffer overflow vulnerability exists in the adm.cgi set_wzdgw4G() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-39299 | 1 Wavlink | 2 Wl-wn533a8, Wl-wn533a8 Firmware | 2025-08-21 | N/A | 9.1 CRITICAL |
| A buffer overflow vulnerability exists in the qos.cgi qos_sta_settings() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2025-9153 | 1 Mayurik | 1 Online Tour \& Travel Management System | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2024-11623 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 4.8 MEDIUM |
| Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release. | |||||
| CVE-2025-29928 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 8.0 HIGH |
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2025-9154 | 1 Mayurik | 1 Online Tour \& Travel Management System | 2025-08-21 | 7.5 HIGH | 7.3 HIGH |
| A flaw has been found in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /user/page-login.php. This manipulation of the argument email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | |||||
| CVE-2025-55737 | 1 Dogukanurker | 1 Flaskblog | 2025-08-21 | N/A | 6.5 MEDIUM |
| flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py. | |||||
| CVE-2025-9155 | 1 Mayurik | 1 Online Tour \& Travel Management System | 2025-08-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Impacted is an unknown function of the file /user/forget_password.php. Such manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9156 | 1 Angeljudesuarez | 1 Sports Management System | 2025-08-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in itsourcecode Sports Management System 1.0. The affected element is an unknown function of the file /Admin/sports.php. Performing manipulation of the argument code results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | |||||