Export limit exceeded: 344767 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344767 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16738 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2026-04-15 | 5.3 Medium |
| In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. | ||||
| CVE-2018-11802 | 1 Apache | 1 Solr | 2026-04-15 | 4.3 Medium |
| In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | ||||
| CVE-2019-25643 | 1 Endonesia | 1 Endonesia | 2026-04-15 | 8.2 High |
| eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables. | ||||
| CVE-2019-25639 | 1 Matri4web | 1 Matrimony Website Script | 2026-04-15 | 8.2 High |
| Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters. Attackers can inject malicious SQL payloads into parameters like txtGender, religion, Fage, and cboCountry across simplesearch_results.php, advsearch_results.php, specialcase_results.php, locational_results.php, and registration2.php to extract sensitive database information or execute arbitrary SQL commands. | ||||
| CVE-2019-25605 | 1 Play | 1 Equitypandit | 2026-04-15 | 7.5 High |
| EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials. | ||||
| CVE-2019-25695 | 1 R-project | 1 R | 2026-04-15 | 8.4 High |
| R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. | ||||
| CVE-2019-25641 | 1 Netartmedia | 1 Vlog System | 2026-04-15 | 8.2 High |
| Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with malicious email values in the forgotten_password module to extract sensitive database information. | ||||
| CVE-2019-25638 | 1 Meeplace | 1 Meeplace Business Review Script | 2026-04-15 | 7.1 High |
| Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the addclick.php endpoint with crafted SQL payloads in the 'id' parameter to extract sensitive database information or cause denial of service. | ||||
| CVE-2018-25258 | 1 R-project | 1 Rgui | 2026-04-15 | 8.4 High |
| RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. | ||||
| CVE-2019-25691 | 1 Faleemi | 1 Faleemi Desktop Software | 2026-04-15 | 8.4 High |
| Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. | ||||
| CVE-2018-25257 | 1 Adianti | 1 Adianti Framework | 2026-04-15 | 7.1 High |
| Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access. | ||||
| CVE-2019-25487 | 1 Sapido | 1 Rb-1732 | 2026-04-15 | 9.8 Critical |
| SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execute code on the device with router privileges. | ||||
| CVE-2019-25465 | 1 Hisilicon | 1 Hiipcam | 2026-04-15 | 7.5 High |
| Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings. | ||||
| CVE-2019-25469 | 1 Newsoftwares | 1 Folder Lock | 2026-04-15 | 6.2 Medium |
| Folder Lock 7.7.9 contains a buffer overflow vulnerability in the serial number registration field that allows local attackers to crash the application by submitting an oversized payload. Attackers can paste a 6000-byte buffer of arbitrary data into the 'Serial Number and Registration Key' field to trigger a denial of service condition. | ||||
| CVE-2019-25477 | 1 Top Password Software | 1 Rar Password Recovery | 2026-04-15 | 6.2 Medium |
| RAR Password Recovery 1.80 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the registration dialog. Attackers can craft a malicious input string exceeding 6000 bytes and paste it into the User Name and Registration Code field to trigger an application crash. | ||||
| CVE-2019-25468 | 1 Netgain Systems | 1 Netgain Em Plus | 2026-04-15 | 9.8 Critical |
| NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output. | ||||
| CVE-2019-25463 | 1 Nsauditor | 1 Spotie Internet Explorer Password Recovery | 2026-04-15 | 6.2 Medium |
| SpotIE Internet Explorer Password Recovery 2.9.5 contains a denial of service vulnerability in the registration key input field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 256-character payload into the Key field during registration to trigger a buffer overflow and crash the application. | ||||
| CVE-2017-20218 | 1 Serviio | 1 Serviio Pro | 2026-04-15 | 7.8 High |
| Serviio PRO 1.8 contains an unquoted search path vulnerability in the Windows service that allows local users to execute arbitrary code with elevated privileges by placing malicious executables in the system root path. Additionally, improper directory permissions with full access for the Users group allow authenticated users to replace the executable file with arbitrary binaries, enabling privilege escalation during service startup or system reboot. | ||||
| CVE-2016-20027 | 1 Zkteco | 1 Zkbiosecurity | 2026-04-15 | 6.1 Medium |
| ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application. | ||||
| CVE-2016-20026 | 1 Zkteco | 1 Zkbiosecurity | 2026-04-15 | 9.8 Critical |
| ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges. | ||||