Total
95129 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-9424 | 1 Ruijie | 2 Ws7204-a, Ws7204-a Firmware | 2025-09-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was identified in Ruijie WS7204-A 2017.06.15. Affected by this vulnerability is an unknown functionality of the file /itbox_pi/branch_import.php?a=branch_list. Such manipulation of the argument province leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9414 | 1 Kodcloud | 1 Kodbox | 2025-09-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-46413 | 1 Getrebuild | 1 Rebuild | 2025-09-12 | N/A | 5.1 MEDIUM |
| Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method. | |||||
| CVE-2023-3712 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | N/A | 6.6 MEDIUM |
| Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | |||||
| CVE-2023-3711 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | N/A | 6.4 MEDIUM |
| Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | |||||
| CVE-2025-9406 | 1 Mossle | 1 Lemon | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the argument Upload causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | |||||
| CVE-2025-9394 | 1 Podofo Project | 1 Podofo | 2025-09-12 | 4.3 MEDIUM | 5.3 MEDIUM |
| A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue. | |||||
| CVE-2022-24614 | 1 Metadata-extractor Project | 1 Metadata-extractor | 2025-09-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. | |||||
| CVE-2025-9387 | 1 Dcnetworks | 2 Dcme-720, Dcme-720 Firmware | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in DCN DCME-720 9.1.5.11. This affects an unknown function of the file /usr/local/www/function/audit/newstatistics/ip_block.php of the component Web Management Backend. Performing manipulation of the argument ip results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. Other products might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-9390 | 1 Vim | 1 Vim | 2025-09-12 | 4.3 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component. | |||||
| CVE-2025-9391 | 1 Zhiyou-group | 1 Zhiyou Erp | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8347 | 1 Kehua | 1 Charging Pile Cloud Platform | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-54832 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | N/A | 4.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories. | |||||
| CVE-2025-54833 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | |||||
| CVE-2025-54834 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | |||||
| CVE-2025-47997 | 1 Microsoft | 4 Sql Server 2016, Sql Server 2017, Sql Server 2019 and 1 more | 2025-09-12 | N/A | 6.5 MEDIUM |
| Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network. | |||||
| CVE-2025-54789 | 1 Humhub | 1 Files | 2025-09-12 | N/A | 6.1 MEDIUM |
| Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed in version 0.16.10. | |||||
| CVE-2025-54790 | 1 Humhub | 1 Files | 2025-09-12 | N/A | 6.5 MEDIUM |
| Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10. | |||||
| CVE-2025-9580 | 1 Lb-link | 2 Bl-x26, Bl-x26 Firmware | 2025-09-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security vulnerability has been detected in LB-LINK BL-X26 1.2.8. This affects an unknown function of the file /goform/set_blacklist of the component HTTP Handler. Such manipulation of the argument mac leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8530 | 1 Eladmin | 1 Eladmin | 2025-09-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file eladmin-system\src\main\resources\config\application-prod.yml of the component Druid. The manipulation of the argument login-username/login-password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||