Total
315139 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30134 | 1 Hcltech | 1 Traveler For Microsoft Outlook | 2025-10-30 | N/A | 6.7 MEDIUM |
| The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application. | |||||
| CVE-2025-64118 | 2025-10-30 | N/A | N/A | ||
| node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2. | |||||
| CVE-2025-64116 | 2025-10-30 | N/A | N/A | ||
| Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0. | |||||
| CVE-2025-64115 | 2025-10-30 | N/A | N/A | ||
| Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0. | |||||
| CVE-2025-64112 | 2025-10-30 | N/A | 8.0 HIGH | ||
| Statmatic is a Laravel and Git powered content management system (CMS). Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fixed in 5.22.1. | |||||
| CVE-2025-61481 | 2025-10-30 | N/A | 10.0 CRITICAL | ||
| An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials. | |||||
| CVE-2024-6322 | 2025-10-30 | N/A | 5.4 MEDIUM | ||
| Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource. | |||||
| CVE-2024-30132 | 1 Hcltech | 1 Nomad Server On Domino | 2025-10-30 | N/A | 3.7 LOW |
| HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-47876 | 1 Sakailms | 1 Sakai | 2025-10-30 | N/A | 8.8 HIGH |
| Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. | |||||
| CVE-2024-30133 | 1 Hcltech | 1 Traveler For Microsoft Outlook | 2025-10-30 | N/A | 5.3 MEDIUM |
| HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. | |||||
| CVE-2025-1732 | 1 Zyxel | 9 Uos, Usg Flex 100h, Usg Flex 100hp and 6 more | 2025-10-30 | N/A | 6.7 MEDIUM |
| An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. | |||||
| CVE-2025-1731 | 1 Zyxel | 9 Uos, Usg Flex 100h, Usg Flex 100hp and 6 more | 2025-10-30 | N/A | 7.8 HIGH |
| An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. | |||||
| CVE-2025-41110 | 1 Ghostrobotics | 2 Vision 60, Vision 60 Firmware | 2025-10-30 | N/A | 8.8 HIGH |
| Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment. | |||||
| CVE-2025-11750 | 1 Langgenius | 1 Dify | 2025-10-30 | N/A | 5.3 MEDIUM |
| In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks. | |||||
| CVE-2025-11844 | 1 Huggingface | 1 Smolagents | 2025-10-30 | N/A | 5.4 MEDIUM |
| Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0. | |||||
| CVE-2025-8848 | 1 Librechat | 1 Librechat | 2025-10-30 | N/A | 5.4 MEDIUM |
| A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the <html lang=""> tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks. | |||||
| CVE-2025-62525 | 1 Openwrt | 1 Openwrt | 2025-10-30 | N/A | 7.9 HIGH |
| OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, local users could read and write arbitrary kernel memory using the ioctls of the ltq-ptm driver which is used to drive the datapath of the DSL line. This only effects the lantiq target supporting xrx200, danube and amazon SoCs from Lantiq/Intel/MaxLinear with the DSL in PTM mode. The DSL driver for the VRX518 is not affected. ATM mode is also not affected. Most VDSL lines use PTM mode and most ADSL lines use ATM mode. OpenWrt is normally running as a single user system, but some services are sandboxed. This vulnerability could allow attackers to escape a ujail sandbox or other contains. This is fixed in OpenWrt 24.10.4. There are no workarounds. | |||||
| CVE-2025-62526 | 1 Openwrt | 1 Openwrt | 2025-10-30 | N/A | 7.9 HIGH |
| OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL. This is fixed in OpenWrt 24.10.4. There are no workarounds. | |||||
| CVE-2025-62617 | 1 Admidio | 1 Admidio | 2025-10-30 | N/A | 7.2 HIGH |
| Admidio is an open-source user management solution. Prior to version 4.3.17, an authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role (such as an administrator) can exploit this vulnerability to execute arbitrary SQL commands. This can lead to a full compromise of the application's database, including reading, modifying, or deleting all data. This issue has been patched in version 4.3.17. | |||||
| CVE-2025-9182 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-10-30 | N/A | 7.5 HIGH |
| Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. | |||||