Total
26511 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6513 | 2025-06-23 | N/A | 9.3 CRITICAL | ||
| Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it. | |||||
| CVE-2025-52921 | 2025-06-23 | N/A | 9.9 CRITICAL | ||
| In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server. | |||||
| CVE-2024-45347 | 2025-06-23 | N/A | 9.6 CRITICAL | ||
| An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim’s device. | |||||
| CVE-2025-25940 | 1 Visicut | 1 Visicut | 2025-06-23 | N/A | 9.8 CRITICAL |
| VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. | |||||
| CVE-2025-28197 | 1 Kidocode | 1 Crawl4ai | 2025-06-23 | N/A | 9.1 CRITICAL |
| Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. | |||||
| CVE-2024-53591 | 1 Seclore | 1 Seclore | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack. | |||||
| CVE-2024-42733 | 1 Docmosis | 1 Tornado | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input | |||||
| CVE-2025-47110 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-06-23 | N/A | 9.1 CRITICAL |
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-44022 | 1 Vvveb | 1 Vvveb | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. | |||||
| CVE-2024-40446 | 1 Ctan | 1 Mimetex | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script | |||||
| CVE-2024-35324 | 1 Douchat | 1 Douchat | 2025-06-23 | N/A | 9.8 CRITICAL |
| Douchat 4.0.5 suffers from an arbitrary file upload vulnerability via Public/Plugins/webuploader/server/preview.php. | |||||
| CVE-2025-28056 | 1 Ruifang-tech | 1 Rebuild | 2025-06-23 | N/A | 9.8 CRITICAL |
| rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component. | |||||
| CVE-2025-43946 | 1 Tcpwave | 1 Ddi | 2025-06-23 | N/A | 9.8 CRITICAL |
| TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | |||||
| CVE-2025-21547 | 1 Oracle | 1 Hospitality Opera 5 | 2025-06-23 | N/A | 9.1 CRITICAL |
| Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and 5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). | |||||
| CVE-2025-21535 | 1 Oracle | 1 Weblogic Server | 2025-06-23 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-20188 | 1 Cisco | 1 Ios Xe | 2025-06-23 | N/A | 10.0 CRITICAL |
| A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. | |||||
| CVE-2025-48748 | 1 Netwrix | 1 Directory Manager | 2025-06-23 | N/A | 10.0 CRITICAL |
| Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. | |||||
| CVE-2025-27531 | 1 Apache | 1 Inlong | 2025-06-23 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue. | |||||
| CVE-2025-28386 | 1 Openc3 | 1 Cosmos | 2025-06-23 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file. | |||||
| CVE-2025-29659 | 1 Yiiot | 2 Xy-3820, Xy-3820 Firmware | 2025-06-23 | N/A | 9.8 CRITICAL |
| Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. | |||||