Total
26517 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42733 | 1 Docmosis | 1 Tornado | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input | |||||
| CVE-2025-47110 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-06-23 | N/A | 9.1 CRITICAL |
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-44022 | 1 Vvveb | 1 Vvveb | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. | |||||
| CVE-2024-40446 | 1 Ctan | 1 Mimetex | 2025-06-23 | N/A | 9.8 CRITICAL |
| An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script | |||||
| CVE-2024-35324 | 1 Douchat | 1 Douchat | 2025-06-23 | N/A | 9.8 CRITICAL |
| Douchat 4.0.5 suffers from an arbitrary file upload vulnerability via Public/Plugins/webuploader/server/preview.php. | |||||
| CVE-2025-28056 | 1 Ruifang-tech | 1 Rebuild | 2025-06-23 | N/A | 9.8 CRITICAL |
| rebuild v3.9.0 through v3.9.3 has a SQL injection vulnerability in /admin/admin-cli/exec component. | |||||
| CVE-2025-43946 | 1 Tcpwave | 1 Ddi | 2025-06-23 | N/A | 9.8 CRITICAL |
| TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | |||||
| CVE-2025-21547 | 1 Oracle | 1 Hospitality Opera 5 | 2025-06-23 | N/A | 9.1 CRITICAL |
| Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and 5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). | |||||
| CVE-2025-21535 | 1 Oracle | 1 Weblogic Server | 2025-06-23 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2025-20188 | 1 Cisco | 1 Ios Xe | 2025-06-23 | N/A | 10.0 CRITICAL |
| A vulnerability in the Out-of-Band Access Point (AP) Image Download, the Clean Air Spectral Recording, and the client debug bundles features of Cisco IOS XE Software for Wireless LAN Controllers (WLCs) could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system. This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP file upload interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges. | |||||
| CVE-2025-48748 | 1 Netwrix | 1 Directory Manager | 2025-06-23 | N/A | 10.0 CRITICAL |
| Netwrix Directory Manager (formerly Imanami GroupID) through v.10.0.7784.0 has a hard-coded password. | |||||
| CVE-2025-27531 | 1 Apache | 1 Inlong | 2025-06-23 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue. | |||||
| CVE-2025-28386 | 1 Openc3 | 1 Cosmos | 2025-06-23 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file. | |||||
| CVE-2025-29659 | 1 Yiiot | 2 Xy-3820, Xy-3820 Firmware | 2025-06-23 | N/A | 9.8 CRITICAL |
| Yi IOT XY-3820 6.0.24.10 is vulnerable to Remote Command Execution via the "cmd_listen" function located in the "cmd" binary. | |||||
| CVE-2025-29660 | 1 Yiiot | 2 Xy-3820, Xy-3820 Firmware | 2025-06-23 | N/A | 9.8 CRITICAL |
| A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques. | |||||
| CVE-2024-25678 | 1 Litespeedtech | 1 Lsquic | 2025-06-20 | N/A | 9.8 CRITICAL |
| In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled. | |||||
| CVE-2024-25307 | 1 Code-projects | 1 Cinema Seat Reservation System | 2025-06-20 | N/A | 9.8 CRITICAL |
| Code-projects Cinema Seat Reservation System 1.0 allows SQL Injection via the 'id' parameter at "/Cinema-Reservation/booking.php?id=1." | |||||
| CVE-2024-24321 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2025-06-20 | N/A | 9.8 CRITICAL |
| An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function. | |||||
| CVE-2024-24189 | 1 Jsish | 1 Jsish | 2025-06-20 | N/A | 9.8 CRITICAL |
| Jsish v3.5.0 (commit 42c694c) was discovered to contain a use-after-free via the SplitChar at ./src/jsiUtils.c. | |||||
| CVE-2024-24015 | 1 Xxyopen | 1 Novel-plus | 2025-06-20 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit | |||||