Total
79758 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-5211 | 1 Phpgurukul | 1 Employee Record Management System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability was found in PHPGurukul Employee Record Management System 1.3 and classified as critical. This issue affects some unknown processing of the file /myprofile.php. The manipulation of the argument EmpCode leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-5212 | 1 Phpgurukul | 1 Employee Record Management System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability was found in PHPGurukul Employee Record Management System 1.3. It has been classified as critical. Affected is an unknown function of the file /admin/editempexp.php. The manipulation of the argument emp1name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-5213 | 1 Jkev | 1 Responsive E-learning System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability was found in projectworlds Responsive E-Learning System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/delete_file.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-5068 | 1 Google | 1 Chrome | 2025-06-05 | N/A | 8.8 HIGH |
Use after free in Blink in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
CVE-2025-48999 | 1 Dataease | 1 Dataease | 2025-06-05 | N/A | 8.8 HIGH |
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue. | |||||
CVE-2025-5575 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability classified as critical was found in PHPGurukul Dairy Farm Shop Management System 1.3. This vulnerability affects unknown code of the file /add-product.php. The manipulation of the argument productname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2023-6837 | 1 Wso2 | 5 Api Manager, Carbon Identity Application Authentication Endpoint, Carbon Identity Application Authentication Framework and 2 more | 2025-06-05 | N/A | 8.5 HIGH |
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation. | |||||
CVE-2025-4332 | 1 Phpgurukul | 1 Company Visitor Management System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability was found in PHPGurukul Company Visitor Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /visitor-detail.php. The manipulation of the argument editid/remark leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-3231 | 1 Phpgurukul | 1 Zoo Management System | 2025-06-05 | 7.5 HIGH | 7.3 HIGH |
A vulnerability was found in PHPGurukul Zoo Management System 2.1. It has been rated as critical. This issue affects some unknown processing of the file /aboutus.php. The manipulation of the argument pagetitle/pagedes leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-3419 | 1 Themewinter | 1 Eventin | 2025-06-04 | N/A | 7.5 HIGH |
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
CVE-2024-13793 | 1 D-themes | 1 Wolmart | 2025-06-04 | N/A | 7.3 HIGH |
The Wolmart | Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
CVE-2025-4204 | 1 Auctionplugin | 1 Ultimate Wordpress Auction Plugin | 2025-06-04 | N/A | 7.5 HIGH |
The Ultimate Auction Pro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
CVE-2025-3431 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-06-04 | N/A | 7.5 HIGH |
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | |||||
CVE-2024-13776 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-06-04 | N/A | 8.1 HIGH |
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. There are several other functions also vulnerable to missing authorization. | |||||
CVE-2024-22903 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-04 | N/A | 8.8 HIGH |
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function. | |||||
CVE-2024-22625 | 1 Campcodes | 1 Supplier Management System | 2025-06-04 | N/A | 7.2 HIGH |
Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_category.php?id=. | |||||
CVE-2022-23092 | 1 Freebsd | 1 Freebsd | 2025-06-04 | N/A | 8.8 HIGH |
The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. | |||||
CVE-2022-23090 | 1 Freebsd | 1 Freebsd | 2025-06-04 | N/A | 7.7 HIGH |
The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF). | |||||
CVE-2025-48881 | 2025-06-04 | N/A | 8.3 HIGH | ||
Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. This issue has been patched in version 12.13.0.RELEASE. A workaround for this issue involves overriding the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality. | |||||
CVE-2024-22899 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2025-06-04 | N/A | 8.8 HIGH |
Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function. |