Total
83822 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10800 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in itsourcecode Online Discussion Forum 1.0. The impacted element is an unknown function of the file /index.php. Executing manipulation of the argument email/password can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-32017 | 1 Umbraco | 1 Umbraco Cms | 2025-09-22 | N/A | 8.8 HIGH |
| Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. | |||||
| CVE-2024-33258 | 1 Jerryscript | 1 Jerryscript | 2025-09-22 | N/A | 7.1 HIGH |
| Jerryscript commit ff9ff8f was discovered to contain a segmentation violation via the component vm_loop at jerry-core/vm/vm.c. | |||||
| CVE-2024-33453 | 1 Espressif | 1 Esp-idf | 2025-09-22 | N/A | 8.1 HIGH |
| Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component. | |||||
| CVE-2024-3372 | 1 Mongodb | 1 Mongodb | 2025-09-22 | N/A | 7.5 HIGH |
| Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. | |||||
| CVE-2025-10854 | 2025-09-22 | N/A | 8.1 HIGH | ||
| The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices | |||||
| CVE-2025-10799 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in code-projects Hostel Management System 1.0. The affected element is an unknown function of the file /justines/admin/mod_reservation/index.php?view=view. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-10798 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was identified in code-projects Hostel Management System 1.0. Impacted is an unknown function of the file /justines/admin/mod_roomtype/index.php?view=view. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | |||||
| CVE-2025-10797 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in code-projects Hostel Management System 1.0. This issue affects some unknown processing of the file /justines/index.php. This manipulation of the argument log_email causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-10796 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was found in code-projects Hostel Management System 1.0. This vulnerability affects unknown code of the file /justines/admin/login.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | |||||
| CVE-2025-10795 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability has been found in code-projects Online Bidding System 1.0. This affects an unknown part of the file /administrator/bidupdate.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-47619 | 2 Debian, Oneidentity | 2 Debian Linux, Syslog-ng | 2025-09-22 | N/A | 7.5 HIGH |
| syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. | |||||
| CVE-2025-5962 | 2025-09-22 | N/A | 7.7 HIGH | ||
| A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering. | |||||
| CVE-2025-10793 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was detected in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/admin_account_delete.php. Performing manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | |||||
| CVE-2025-10792 | 2025-09-22 | 9.0 HIGH | 8.8 HIGH | ||
| A security vulnerability has been detected in D-Link DIR-513 A1FW110. Affected is an unknown function of the file /goform/formWPS. Such manipulation of the argument webpage leads to buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-10791 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A weakness has been identified in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/index.php. This manipulation of the argument aduser causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-10786 | 2025-09-22 | 7.5 HIGH | 7.3 HIGH | ||
| A flaw has been found in Campcodes Grocery Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=delete_user. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | |||||
| CVE-2021-42083 | 3 Linux, Microsoft, Osnexus | 3 Linux Kernel, Windows, Quantastor | 2025-09-22 | N/A | 8.7 HIGH |
| An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user. | |||||
| CVE-2021-42082 | 1 Osnexus | 1 Quantastor | 2025-09-22 | N/A | 7.8 HIGH |
| Local users are able to execute scripts under root privileges. POC On the local host run the following command: curl 'localhost:8154/qstor/qs_upgrade.py?taskId=1&a=;`whoami`' | |||||
| CVE-2021-42080 | 1 Osnexus | 1 Quantastor | 2025-09-22 | N/A | 7.4 HIGH |
| An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following URL https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)> | |||||