Vulnerabilities (CVE)

Total 83822 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-10800 2025-09-22 7.5 HIGH 7.3 HIGH
A weakness has been identified in itsourcecode Online Discussion Forum 1.0. The impacted element is an unknown function of the file /index.php. Executing manipulation of the argument email/password can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
CVE-2025-32017 1 Umbraco 1 Umbraco Cms 2025-09-22 N/A 8.8 HIGH
Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.
CVE-2024-33258 1 Jerryscript 1 Jerryscript 2025-09-22 N/A 7.1 HIGH
Jerryscript commit ff9ff8f was discovered to contain a segmentation violation via the component vm_loop at jerry-core/vm/vm.c.
CVE-2024-33453 1 Espressif 1 Esp-idf 2025-09-22 N/A 8.1 HIGH
Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component.
CVE-2024-3372 1 Mongodb 1 Mongodb 2025-09-22 N/A 7.5 HIGH
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.
CVE-2025-10854 2025-09-22 N/A 8.1 HIGH
The txtai framework allows the loading of compressed tar files as embedding indices. While the validate function is intended to prevent path traversal vulnerabilities by ensuring safe filenames, it does not account for symbolic links within the tar file. An attacker is able to write a file anywhere in the filesystem when txtai is used to load untrusted embedding indices
CVE-2025-10799 2025-09-22 7.5 HIGH 7.3 HIGH
A security flaw has been discovered in code-projects Hostel Management System 1.0. The affected element is an unknown function of the file /justines/admin/mod_reservation/index.php?view=view. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.
CVE-2025-10798 2025-09-22 7.5 HIGH 7.3 HIGH
A vulnerability was identified in code-projects Hostel Management System 1.0. Impacted is an unknown function of the file /justines/admin/mod_roomtype/index.php?view=view. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.
CVE-2025-10797 2025-09-22 7.5 HIGH 7.3 HIGH
A vulnerability was determined in code-projects Hostel Management System 1.0. This issue affects some unknown processing of the file /justines/index.php. This manipulation of the argument log_email causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVE-2025-10796 2025-09-22 7.5 HIGH 7.3 HIGH
A vulnerability was found in code-projects Hostel Management System 1.0. This vulnerability affects unknown code of the file /justines/admin/login.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
CVE-2025-10795 2025-09-22 7.5 HIGH 7.3 HIGH
A vulnerability has been found in code-projects Online Bidding System 1.0. This affects an unknown part of the file /administrator/bidupdate.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-47619 2 Debian, Oneidentity 2 Debian Linux, Syslog-ng 2025-09-22 N/A 7.5 HIGH
syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.
CVE-2025-5962 2025-09-22 N/A 7.7 HIGH
A flaw was found in the Lightspeed history service. Insufficient access controls allow a local, unprivileged user to access and manipulate the chat history of another user on the same system. By abusing inter-process communication calls to the history service, an attacker can view, delete, or inject arbitrary history entries, including misleading or malicious commands. This can be used to deceive another user into executing harmful actions, posing a risk of privilege misuse or unauthorized command execution through social engineering.
CVE-2025-10793 2025-09-22 7.5 HIGH 7.3 HIGH
A vulnerability was detected in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/admin_account_delete.php. Performing manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
CVE-2025-10792 2025-09-22 9.0 HIGH 8.8 HIGH
A security vulnerability has been detected in D-Link DIR-513 A1FW110. Affected is an unknown function of the file /goform/formWPS. Such manipulation of the argument webpage leads to buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2025-10791 2025-09-22 7.5 HIGH 7.3 HIGH
A weakness has been identified in code-projects Online Bidding System 1.0. This impacts an unknown function of the file /administrator/index.php. This manipulation of the argument aduser causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
CVE-2025-10786 2025-09-22 7.5 HIGH 7.3 HIGH
A flaw has been found in Campcodes Grocery Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=delete_user. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
CVE-2021-42083 3 Linux, Microsoft, Osnexus 3 Linux Kernel, Windows, Quantastor 2025-09-22 N/A 8.7 HIGH
An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user.
CVE-2021-42082 1 Osnexus 1 Quantastor 2025-09-22 N/A 7.8 HIGH
Local users are able to execute scripts under root privileges. POC On the local host run the following command: curl 'localhost:8154/qstor/qs_upgrade.py?taskId=1&a=;`whoami`'
CVE-2021-42080 1 Osnexus 1 Quantastor 2025-09-22 N/A 7.4 HIGH
An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following URL https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)>