Export limit exceeded: 17970 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 23185 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (335615 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-25651 | 2 Delinea, Delinea Pam | 2 Secret Server, Secret Server | 2025-10-14 | 5.3 Medium |
| User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint. | ||||
| CVE-2025-1534 | 1 Payara | 1 Payara | 2025-10-14 | 5.4 Medium |
| CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2. | ||||
| CVE-2024-25653 | 1 Delinea | 1 Secret Server | 2025-10-14 | 4.3 Medium |
| Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. | ||||
| CVE-2025-24949 | 1 Joturl | 1 Joturl | 2025-10-14 | 6.5 Medium |
| In JotUrl 2.0, is possible to bypass security requirements during the password change process. | ||||
| CVE-2024-29026 | 1 Owncast Project | 1 Owncast | 2025-10-14 | 8.2 High |
| Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue. | ||||
| CVE-2025-5459 | 1 Puppet | 1 Puppet Enterprise | 2025-10-14 | 8.8 High |
| A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0. | ||||
| CVE-2024-3325 | 1 Cloud | 1 Jasperreports Server | 2025-10-14 | 7.2 High |
| Vulnerability in Jaspersoft JasperReport Servers.This issue affects JasperReport Servers: from 8.0.4 through 9.0.0. | ||||
| CVE-2025-11342 | 2 Code-projects, Fabian | 2 Online Course Registration, Online Course Registration Site | 2025-10-14 | 4.7 Medium |
| A weakness has been identified in code-projects Online Course Registration 1.0. This impacts an unknown function of the file /admin/edit-course.php. Executing manipulation of the argument coursecode can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-11347 | 1 Code-projects | 2 Crud Operation System, Student Crud Operation | 2025-10-14 | 7.3 High |
| A vulnerability was found in code-projects Student Crud Operation up to 3.3. This vulnerability affects the function move_uploaded_file of the file add.php of the component Add Student Page/Edit Student Page. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-11343 | 1 Code-projects | 2 Crud Operation System, Student Crud Operation | 2025-10-14 | 7.3 High |
| A security vulnerability has been detected in code-projects Student Crud Operation 3.3. Affected is an unknown function of the file delete.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-61524 | 1 Casbin | 1 Casdoor | 2025-10-14 | 7.2 High |
| An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login | ||||
| CVE-2025-56683 | 1 Logseq | 1 Logseq | 2025-10-14 | 9.6 Critical |
| A cross-site scripting (XSS) vulnerability in the component /app/marketplace.html of Logseq v0.10.9 allows attackers to execute arbitrary code via injecting arbitrary Javascript into a crafted README.md file. | ||||
| CVE-2025-11511 | 2 Code-projects, Fabian | 2 E-commerce Website, E-commerce Website | 2025-10-14 | 6.3 Medium |
| A flaw has been found in code-projects E-Commerce Website 1.0. Affected is an unknown function of the file /pages/supplier_add.php. Executing manipulation of the argument supp_email can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | ||||
| CVE-2025-11509 | 2 Code-projects, Fabian | 2 E-commerce Website, E-commerce Website | 2025-10-14 | 6.3 Medium |
| A vulnerability was detected in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/product_add.php. Performing manipulation of the argument prod_name results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | ||||
| CVE-2017-20202 | 2 Google, Web Developer For Chrome | 2 Chrome, Web Developer For Chrome | 2025-10-14 | N/A |
| Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake “repair” alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor. The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0. | ||||
| CVE-2024-45389 | 2 Cloudcannon, Pagefind | 2 Pagefind, Pagefind | 2025-10-14 | 6.4 Medium |
| Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind. | ||||
| CVE-2025-59361 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2025-59360 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2025-59359 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 9.8 Critical |
| The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster. | ||||
| CVE-2025-59358 | 1 Chaos-mesh | 2 Chaos-mesh, Chaos Mesh | 2025-10-14 | 7.5 High |
| The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service. | ||||