Total
26069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3709 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack. | |||||
| CVE-2025-24522 | 2025-05-02 | N/A | 10.0 CRITICAL | ||
| KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system. | |||||
| CVE-2025-3708 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | |||||
| CVE-2025-3746 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly. | |||||
| CVE-2025-32011 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal. | |||||
| CVE-2025-2812 | 2025-05-02 | N/A | 9.8 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY). | |||||
| CVE-2025-35996 | 2025-05-02 | N/A | 9.0 CRITICAL | ||
| KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack. | |||||
| CVE-2025-2605 | 2025-05-02 | N/A | 9.9 CRITICAL | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product. | |||||
| CVE-2024-48510 | 2 Dotnetzip.semverd Project, Mihula | 2 Dotnetzip.semverd, Prodotnetzip | 2025-05-02 | N/A | 9.8 CRITICAL |
| Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-38541 | 1 Linux | 1 Linux Kernel | 2025-05-02 | N/A | 9.8 CRITICAL |
| In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). | |||||
| CVE-2025-37087 | 2025-05-01 | N/A | 9.8 CRITICAL | ||
| A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host. | |||||
| CVE-2023-5168 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2025-05-01 | N/A | 9.8 CRITICAL |
| A compromised content process could have provided malicious data to `FilterNodeD2D1` resulting in an out-of-bounds write, leading to a potentially exploitable crash in a privileged process. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 118, Firefox ESR < 115.3, and Thunderbird < 115.3. | |||||
| CVE-2022-3463 | 1 Fluentforms | 1 Contact Form | 2025-05-01 | N/A | 9.8 CRITICAL |
| The Contact Form Plugin WordPress plugin before 4.3.13 does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection | |||||
| CVE-2023-5175 | 1 Mozilla | 1 Firefox | 2025-05-01 | N/A | 9.8 CRITICAL |
| During process shutdown, it was possible that an `ImageBitmap` was created that would later be used after being freed from a different codepath, leading to a potentially exploitable crash. This vulnerability affects Firefox < 118. | |||||
| CVE-2022-3481 | 1 Opmc | 1 Woocommerce Dropshipping | 2025-05-01 | N/A | 9.8 CRITICAL |
| The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection | |||||
| CVE-2024-37385 | 1 Roundcube | 1 Webmail | 2025-05-01 | N/A | 9.8 CRITICAL |
| Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | |||||
| CVE-2024-4620 | 1 Reputeinfosystems | 1 Arforms | 2025-05-01 | N/A | 9.8 CRITICAL |
| The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form | |||||
| CVE-2024-38441 | 1 Netatalk | 1 Netatalk | 2025-05-01 | N/A | 9.8 CRITICAL |
| Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions. | |||||
| CVE-2024-37734 | 1 Open-emr | 1 Openemr | 2025-05-01 | N/A | 9.8 CRITICAL |
| An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter. | |||||
| CVE-2025-2857 | 1 Mozilla | 1 Firefox | 2025-05-01 | N/A | 10.0 CRITICAL |
| Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1. | |||||