Export limit exceeded: 17354 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 342045 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342045 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6748 | 2025-06-30 | 2.1 Low | ||
| A vulnerability classified as problematic has been found in Bharti Airtel Thanks App 4.105.4 on Android. Affected is an unknown function of the file /Android/data/com.myairtelapp/files/. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-6738 | 2025-06-30 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this issue is the function userDao.selectUserByUserNameLike of the file UserServiceImpl.java. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | ||||
| CVE-2024-12827 | 2025-06-30 | 9.8 Critical | ||
| The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-52991 | 2025-06-30 | 3.2 Low | ||
| The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | ||||
| CVE-2025-4587 | 2025-06-30 | 6.4 Medium | ||
| The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-40910 | 2025-06-30 | 6.5 Medium | ||
| Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. | ||||
| CVE-2025-4407 | 2025-06-30 | 6.7 Medium | ||
| Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1. | ||||
| CVE-2025-24290 | 2025-06-30 | N/A | ||
| Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges to escalate privileges. | ||||
| CVE-2025-52207 | 2025-06-30 | 9.9 Critical | ||
| PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory. | ||||
| CVE-2025-40710 | 2025-06-30 | N/A | ||
| Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN client, which can induce unexpected behaviour when accessing third-party web applications through the VPN tunnel. Although such applications do not present this vulnerability per se, the use of the tunnel, together with a forged Host header, can cause the VPN client to redirect or forward HTTP requests to servers other than those originally intended, leading to consequences such as open redirects or delivery of traffic to infrastructure controlled by an attacker. This does not imply a flaw in the target applications, but in how the VPN client internally handles outgoing headers and requests. | ||||
| CVE-2015-20112 | 2025-06-30 | 3.4 Low | ||
| RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network. | ||||
| CVE-2024-12915 | 2025-06-30 | 4.6 Medium | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Devinim Software Library Software allows Reflected XSS.This issue affects Library Software: before 24.11.02. | ||||
| CVE-2023-29113 | 2025-06-30 | 6.3 Medium | ||
| The MIB3 infotainment unit used in Skoda and Volkswagen vehicles does not incorporate any privilege separation for the proprietary inter-process communication mechanism, leaving attackers with presence in the system an ability to undermine access control restrictions implemented at the operating system level. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | ||||
| CVE-2025-41439 | 2025-06-30 | N/A | ||
| A reflected cross-site scripting vulnerability via a specific parameter exists in SLNX Help Documentation of RICOH Streamline NX. If this vulnerability is exploited, an arbitrary script may be executed in the web browser of the user who accessed the product. | ||||
| CVE-2025-24289 | 2025-06-30 | N/A | ||
| A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default. | ||||
| CVE-2025-53391 | 2025-06-30 | 9.3 Critical | ||
| The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root. | ||||
| CVE-2025-53393 | 2025-06-30 | 6 Medium | ||
| In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics. | ||||
| CVE-2024-11739 | 2025-06-30 | 9.8 Critical | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Case Informatics Case ERP allows SQL Injection.This issue affects Case ERP: before V2.0.1. | ||||
| CVE-2023-28912 | 2025-06-30 | 5.7 Medium | ||
| The MIB3 unit stores the synchronized phone contact book in clear-text, allowing an attacker with either code execution privilege on the system or physical access to the system to obtain vehicle owner's contact data. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | ||||
| CVE-2023-28911 | 2025-06-30 | 6.5 Medium | ||
| A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a denial-of-service attack for every connected client of the infotainment device. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | ||||