Total
94388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9273 | 2025-09-02 | N/A | 4.3 MEDIUM | ||
| CData API Server MySQL Misconfiguration Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of CData API Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the usage of MySQL connections. When connecting to a MySQL server, the product enables an option that gives the MySQL server permission to request local files from the MySQL client. An attacker can leverage this vulnerability to disclose information in the context of NETWORK SERVICE. Was ZDI-CAN-23950. | |||||
| CVE-2025-57611 | 2025-09-02 | N/A | 5.3 MEDIUM | ||
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the dump() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check the return value of avfilter_graph_dump() for NULL, leading to a crash if the underlying memory allocation fails. | |||||
| CVE-2025-55476 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| FireShare FileShare 1.2.25 contains a time-based blind SQL injection vulnerability in the sort parameter of the endpoint: GET /api/videos/public?sort= This parameter is unsafely evaluated in a SQL ORDER BY clause without proper sanitization, allowing an attacker to inject arbitrary SQL subqueries. | |||||
| CVE-2025-55474 | 2025-09-02 | N/A | 6.1 MEDIUM | ||
| Many Notes 0.10.1 is vulnerable to Cross Site Scripting (XSS), which allows malicious Markdown files to execute JavaScript when viewed. | |||||
| CVE-2025-55473 | 2025-09-02 | N/A | 6.1 MEDIUM | ||
| Asian Arts Talents Foundation (AATF) Website v5.1.x and Docker version 2024.12.8.1 are vulnerable to Cross Site Scripting (XSS). The vulnerability exists in the /ip.php endpoint, which processes and displays the X-Forwarded-For HTTP header without proper sanitization or output encoding. This allows an attacker to inject malicious JavaScript code that will execute in visitor browsers. | |||||
| CVE-2025-55472 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| SQL Injection vulnerability exists in Tirreno v0.9.5, specifically in the /admin/loadUsers API endpoint. The vulnerability arises due to unsafe handling of user-supplied input in the columns[0][data] parameter, which is directly used in SQL queries without proper validation or parameterization. | |||||
| CVE-2025-55373 | 2025-09-02 | N/A | 5.3 MEDIUM | ||
| Incorrect access control in Beakon Application before v5.4.3 allows authenticated attackers with low-level privileges to escalate privileges and execute commands with Administrator rights. | |||||
| CVE-2025-51966 | 2025-09-02 | N/A | 6.1 MEDIUM | ||
| A cross-site scripting (XSS) vulnerability exists in the PDF preview functionality of uTools thru 7.1.1. When a user previews a specially crafted PDF file, embedded JavaScript code executes within the application's privileged context, potentially allowing attackers to steal sensitive data or perform unauthorized actions. | |||||
| CVE-2025-50757 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the username parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-50755 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_cmd function via the command parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2025-50565 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| Doubo ERP 1.0 has an SQL injection vulnerability due to a lack of filtering of user input, which can be remotely initiated by an attacker. | |||||
| CVE-2025-46047 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter. | |||||
| CVE-2024-51423 | 2025-09-02 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in Infor Global HR GHR v.11.23.03.00.21 and before allows a remote attacker to execute arbitrary code via the class parameter. | |||||
| CVE-2024-48705 | 2025-09-02 | N/A | 6.5 MEDIUM | ||
| Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field | |||||
| CVE-2025-32430 | 1 Xwiki | 1 Xwiki | 2025-09-02 | N/A | 6.1 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch. | |||||
| CVE-2025-54124 | 1 Xwiki | 1 Xwiki | 2025-09-02 | N/A | 6.5 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. | |||||
| CVE-2025-54125 | 1 Xwiki | 1 Xwiki | 2025-09-02 | N/A | 6.5 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export. | |||||
| CVE-2025-8755 | 1 Macrozheng | 1 Mall | 2025-09-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic. This issue affects the function detail of the file UmsMemberController.java of the component com.macro.mall.portal.controller. The manipulation of the argument orderId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8706 | 1 Wanzhou | 1 Woes Intelligent Optimization Energy Saving System | 2025-09-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /CommonSolution/CreateFunctionLog of the component Energy Overview Module. The manipulation of the argument MM_MenID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-8739 | 1 Zhenfeng13 | 1 My-blog | 2025-09-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in zhenfeng13 My-Blog up to 1.0.0 and classified as problematic. This issue affects some unknown processing of the file /admin/tags/save. The manipulation of the argument tagName leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||