Total
79575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8176 | 2025-06-02 | N/A | 7.5 HIGH | ||
| A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. | |||||
| CVE-2024-22819 | 1 Flycms Project | 1 Flycms | 2025-06-02 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/email/email_templets_update. | |||||
| CVE-2024-22592 | 1 Flycms Project | 1 Flycms | 2025-06-02 | N/A | 8.8 HIGH |
| FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_update | |||||
| CVE-2024-22563 | 1 Openvswitch | 1 Openvswitch | 2025-06-02 | N/A | 7.5 HIGH |
| openvswitch 2.17.8 was discovered to contain a memory leak via the function xmalloc__ in openvswitch-2.17.8/lib/util.c. | |||||
| CVE-2024-20272 | 1 Cisco | 1 Unity Connection | 2025-06-02 | N/A | 7.3 HIGH |
| A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system. This vulnerability is due to a lack of authentication in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by uploading arbitrary files to an affected system. A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root. | |||||
| CVE-2024-0405 | 1 Burst-statistics | 1 Burst Statistics | 2025-06-02 | N/A | 7.2 HIGH |
| The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database. | |||||
| CVE-2023-5922 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2025-06-02 | N/A | 7.5 HIGH |
| The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content | |||||
| CVE-2023-51217 | 1 Tenhot | 2 Tws-200, Tws-200 Firmware | 2025-06-02 | N/A | 8.8 HIGH |
| An issue discovered in TenghuTOS TWS-200 firmware version:V4.0-201809201424 allows a remote attacker to execute arbitrary code via crafted command on the ping page component. | |||||
| CVE-2023-50614 | 1 Cdebyte | 2 E880-ir01, E880-ir01 Firmware | 2025-06-02 | N/A | 7.5 HIGH |
| An issue discovereed in EBYTE E880-IR01-V1.1 allows an attacker to obtain sensitive information via crafted POST request to /cgi-bin/luci. | |||||
| CVE-2024-25228 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-02 | N/A | 8.8 HIGH |
| Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php. | |||||
| CVE-2024-28069 | 1 Mitel | 1 Micontact Center Business | 2025-06-02 | N/A | 7.5 HIGH |
| A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component. | |||||
| CVE-2024-28123 | 1 Wasmi-labs | 1 Wasmi | 2025-06-02 | N/A | 7.3 HIGH |
| Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn’t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1. | |||||
| CVE-2024-28286 | 1 Mz-automation | 1 Libiec61850 | 2025-06-02 | N/A | 7.5 HIGH |
| In mz-automation libiec61850 v1.4.0, a NULL Pointer Dereference was detected in the mmsServer_handleFileCloseRequest.c function of src/mms/iso_mms/server/mms_file_service.c. The vulnerability manifests as SEGV and causes the application to crash | |||||
| CVE-2025-21605 | 2025-06-02 | N/A | 7.5 HIGH | ||
| Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates. | |||||
| CVE-2022-37620 | 2 Kangax, Terser | 2 Html-minifier, Html-minifier-terser | 2025-06-01 | N/A | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression. | |||||
| CVE-2022-41322 | 2 Fedoraproject, Kitty Project | 2 Fedora, Kitty | 2025-06-01 | N/A | 7.8 HIGH |
| In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup. | |||||
| CVE-2025-23368 | 2025-05-31 | N/A | 8.1 HIGH | ||
| A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. | |||||
| CVE-2025-44906 | 2025-05-30 | N/A | 7.8 HIGH | ||
| jhead v3.08 was discovered to contain a heap-use-after-free via the ProcessFile function at jhead.c. | |||||
| CVE-2025-44614 | 2025-05-30 | N/A | 7.5 HIGH | ||
| Tinxy WiFi Lock Controller v1 RF was discovered to store users' sensitive information, including credentials and mobile phone numbers, in plaintext. | |||||
| CVE-2022-43680 | 4 Debian, Fedoraproject, Libexpat Project and 1 more | 18 Debian Linux, Fedora, Libexpat and 15 more | 2025-05-30 | N/A | 7.5 HIGH |
| In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. | |||||