Export limit exceeded: 341651 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341651 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-12102 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 7.7 High |
| In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in the ajax recursive directory listing functionality. This allows authenticated users to enumerate directories and files on the filesystem (outside of the application scope). | ||||
| CVE-2020-12103 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 7.7 High |
| In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file backup copy functionality which allows authenticated users to create backup copies of files (with .bak extension) outside the scope in the same directory in which they are stored. | ||||
| CVE-2021-40964 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 6.5 Medium |
| A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer. | ||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | ||||
| CVE-2021-40966 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 5.4 Medium |
| A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server. | ||||
| CVE-2021-45010 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution. | ||||
| CVE-2022-1000 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.8 Critical |
| Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. | ||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | ||||
| CVE-2022-40490 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 4.8 Medium |
| Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file. | ||||
| CVE-2025-46268 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 6.3 Medium |
| Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands. | ||||
| CVE-2025-15138 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 4.7 Medium |
| A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63948 | 2 Craigtaub, Phpmsadmin | 2 Phpmsadmin, Phpmsadmin | 2025-12-31 | 5.4 Medium |
| A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation. | ||||
| CVE-2025-63949 | 1 Yohanawi | 1 Hotel Management System | 2025-12-31 | 6.1 Medium |
| A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | ||||
| CVE-2025-63950 | 1 Tomaszdunia | 1 Twittodon | 2025-12-31 | 7.5 High |
| An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service. | ||||
| CVE-2025-63951 | 2 Miczflor, Sourcefabric | 2 Rpi-jukebox-rfid, Phoniebox | 2025-12-31 | 7.5 High |
| An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service. | ||||
| CVE-2025-67653 | 1 Advantech | 2 Webaccess/scada, Webaccess\/scada | 2025-12-31 | 4.3 Medium |
| Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files. | ||||
| CVE-2025-15106 | 2 Getmaxun, Maxun | 2 Maxun, Maxun | 2025-12-31 | 6.3 Medium |
| A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15105 | 2 Getmaxun, Maxun | 2 Maxun, Maxun | 2025-12-31 | 3.7 Low |
| A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15092 | 1 Utt | 2 512w, 512w Firmware | 2025-12-31 | 8.8 High |
| A vulnerability was identified in UTT 进取 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-15091 | 1 Utt | 2 512w, 512w Firmware | 2025-12-31 | 8.8 High |
| A vulnerability was determined in UTT 进取 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||