Total
26043 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29432 | 1 Alldata | 1 Alldata | 2025-04-30 | N/A | 9.8 CRITICAL |
| Alldata v0.4.6 was discovered to contain a SQL injection vulnerability via the tablename parameter at /data/masterdata/datas. | |||||
| CVE-2024-27602 | 1 Alldata | 1 Alldata | 2025-04-30 | N/A | 9.1 CRITICAL |
| Alldata V0.4.6 is vulnerable to Incorrect Access Control. A total of many modules interface documents have been leaked.For example, the /api/system/v2/api-docs module. | |||||
| CVE-2024-39331 | 1 Gnu | 1 Emacs | 2025-04-30 | N/A | 9.8 CRITICAL |
| In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. | |||||
| CVE-2025-22926 | 1 Os4ed | 1 Opensis | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. | |||||
| CVE-2024-38985 | 1 Janrywang | 1 Depath | 2025-04-30 | N/A | 9.8 CRITICAL |
| janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-37762 | 1 Machform | 1 Machform | 2025-04-30 | N/A | 9.9 CRITICAL |
| MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution. | |||||
| CVE-2024-34833 | 1 Oretnom23 | 1 Payroll Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
| Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "save_settings" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as the user running the web server. | |||||
| CVE-2024-25239 | 1 Walterjnr1 | 1 Employee Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Sourcecodester Employee Management System v1.0 allows attackers to run arbitrary SQL commands via crafted POST request to /emloyee_akpoly/Account/login.php. | |||||
| CVE-2022-45400 | 1 Jenkins | 1 Japex | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45397 | 1 Jenkins | 1 Osf Builder Suite \ | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-45396 | 1 Jenkins | 1 Sourcemonitor | 2025-04-30 | N/A | 9.8 CRITICAL |
| Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||||
| CVE-2022-44006 | 1 Backclick | 1 Backclick | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading an executable file. | |||||
| CVE-2022-44000 | 1 Backclick | 1 Backclick | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. | |||||
| CVE-2022-43999 | 1 Backclick | 1 Backclick | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server. | |||||
| CVE-2022-43256 | 1 Seacms | 1 Seacms | 2025-04-30 | N/A | 9.8 CRITICAL |
| SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php. | |||||
| CVE-2022-43234 | 1 Hoosk | 1 Hoosk | 2025-04-30 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file. | |||||
| CVE-2022-43135 | 1 Online Diagnostic Lab Management System Project | 1 Online Diagnostic Lab Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php. | |||||
| CVE-2022-3574 | 1 Wpforms | 1 Wpforms Pro | 2025-04-30 | N/A | 9.8 CRITICAL |
| The WPForms Pro WordPress plugin before 1.7.7 does not validate its form data when generating the exported CSV, which could lead to CSV injection. | |||||
| CVE-2025-45428 | 1 Tenda | 2 Ac9, Ac9 Firmware | 2025-04-30 | N/A | 9.8 CRITICAL |
| In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution. | |||||
| CVE-2025-29911 | 1 Nasa | 1 Cryptolib | 2025-04-30 | N/A | 9.8 CRITICAL |
| CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. A critical heap buffer overflow vulnerability was identified in the `Crypto_AOS_ProcessSecurity` function of CryptoLib versions 1.3.3 and prior. This vulnerability allows an attacker to trigger a Denial of Service (DoS) or potentially execute arbitrary code (RCE) by providing a maliciously crafted AOS frame with an insufficient length. The vulnerability lies in the function `Crypto_AOS_ProcessSecurity`, specifically during the processing of the Frame Error Control Field (FECF). The affected code attempts to read from the `p_ingest` buffer at indices `current_managed_parameters_struct.max_frame_size - 2` and `current_managed_parameters_struct.max_frame_size - 1` without verifying if `len_ingest` is sufficiently large. This leads to a heap buffer overflow when `len_ingest` is smaller than `max_frame_size`. As of time of publication, no known patched versions exist. | |||||