Vulnerabilities (CVE)

Total 296641 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-39323 2 Fedoraproject, Golang 2 Fedora, Go 2025-06-12 N/A 8.1 HIGH
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
CVE-2025-47815 1 Gnu 1 Pspp 2025-06-12 N/A 4.5 MEDIUM
libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause a heap-based buffer overflow in inflate_read (called indirectly from zip_member_read_all) in zip-reader.c.
CVE-2025-31396 2025-06-12 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.
CVE-2025-49651 2025-06-12 N/A 8.1 HIGH
Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible in the session. This vulnerability exists in all current versions of BackendAI.
CVE-2025-24770 2025-06-12 N/A 8.1 HIGH
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme CraftXtore allows PHP Local File Inclusion. This issue affects CraftXtore: from n/a through 1.7.
CVE-2025-5896 2025-06-12 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.
CVE-2025-45055 2025-06-12 N/A 5.4 MEDIUM
Silverpeas 6.4.2 contains a stored cross-site scripting (XSS) vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attackers to escalate privileges by creating a new administrator account. The vulnerability arises from insufficient sanitization of SVG files and weak CSRF protections.
CVE-2025-49141 2025-06-12 N/A 8.5 HIGH
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
CVE-2025-47598 2025-06-12 N/A 6.5 MEDIUM
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in click5 History Log by click5 allows Stored XSS. This issue affects History Log by click5: from n/a through 1.0.13.
CVE-2025-32308 2025-06-12 N/A 7.6 HIGH
Missing Authorization vulnerability in looks_awesome Team Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Builder: from n/a through 1.5.7.
CVE-2025-31635 2025-06-12 N/A 7.5 HIGH
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup CLEVER allows Path Traversal. This issue affects CLEVER: from n/a through 2.6.
CVE-2023-25999 2025-06-12 N/A 8.1 HIGH
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through 2.4.
CVE-2025-49280 2025-06-12 N/A 8.1 HIGH
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magty allows PHP Local File Inclusion. This issue affects Magty: from n/a through 1.0.6.
CVE-2025-47651 2025-06-12 N/A 8.5 HIGH
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection. This issue affects Infility Global: from n/a through 2.12.4.
CVE-2025-5880 2025-06-12 3.3 LOW 4.3 MEDIUM
A vulnerability has been found in Whistle 2.9.98 and classified as problematic. This vulnerability affects unknown code of the file /cgi-bin/sessions/get-temp-file. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-5891 2025-06-12 4.0 MEDIUM 4.3 MEDIUM
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-48143 2025-06-12 N/A 7.1 HIGH
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in salesup2019 Formulario de contacto SalesUp! allows Reflected XSS. This issue affects Formulario de contacto SalesUp!: from n/a through 1.0.14.
CVE-2025-40668 2025-06-12 N/A N/A
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.
CVE-2025-48130 2025-06-12 N/A 7.5 HIGH
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spicethemes Spice Blocks allows Path Traversal. This issue affects Spice Blocks: from n/a through 2.0.7.2.
CVE-2025-49265 2025-06-12 N/A 7.5 HIGH
Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.8.1.