Export limit exceeded: 341330 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341330 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341330 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0845 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 6.4 Medium |
| The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0955 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 5.3 Medium |
| The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos. | ||||
| CVE-2025-0958 | 2 Nitesh Singh, Wordpress | 2 Ultimate Wordpress Auction Plugin, Wordpress | 2025-07-13 | 5.4 Medium |
| The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling. | ||||
| CVE-2025-1061 | 2 Nextendweb, Wordpress | 2 Nextend Social Login Pro, Wordpress | 2025-07-13 | 9.8 Critical |
| The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2025-1106 | 1 Cmseasy | 1 Cmseasy | 2025-07-13 | 5.4 Medium |
| A vulnerability classified as critical has been found in CmsEasy 7.7.7.9. This affects the function deletedir_action/restore_action in the library lib/admin/database_admin.php. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1143 | 1 Billion Electric | 1 M120n | 2025-07-13 | 8.4 High |
| Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system. | ||||
| CVE-2025-1151 | 1 Gnu | 1 Binutils | 2025-07-13 | 3.1 Low |
| A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master." | ||||
| CVE-2025-1249 | 2 Pixelite, Wordpress | 2 Events Manager, Wordpress | 2025-07-13 | 5.3 Medium |
| Missing Authorization vulnerability in Pixelite Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Events Manager: from n/a through 6.6.4.1. | ||||
| CVE-2025-1267 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2025-07-13 | 5.5 Medium |
| The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-1340 | 1 Totolink | 1 X18 | 2025-07-13 | 8.8 High |
| A vulnerability classified as critical has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi. The manipulation as part of String leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1385 | 1 Clickhouse | 1 Clickhouse | 2025-07-13 | N/A |
| When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server. You can check if your ClickHouse server is vulnerable to this vulnerability by inspecting the configuration file and confirming if the following setting is enabled: <library_bridge> <port>9019</port> </library_bridge> | ||||
| CVE-2025-1404 | 2 Ays-pro, Wordpress | 2 Secure Copy Content Protection And Content Locking, Wordpress | 2025-07-13 | 5.3 Medium |
| The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including, 4.4.7. This makes it possible for unauthenticated attackers to retrieve a list of registered user emails. | ||||
| CVE-2025-1564 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 9.8 Critical |
| The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account. | ||||
| CVE-2025-1588 | 1 Phpgurukul | 1 Online Nurse Hiring System | 2025-07-13 | 6.5 Medium |
| A vulnerability has been found in PHPGurukul Online Nurse Hiring System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage-nurse.php. The manipulation of the argument profilepic leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions contradicting vulnerability classes. | ||||
| CVE-2025-1767 | 1 Kubernetes | 1 Kubelet | 2025-07-13 | 6.5 Medium |
| This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable. | ||||
| CVE-2025-1804 | 1 Blizzard | 1 Battle.net | 2025-07-13 | 7 High |
| A vulnerability was found in Blizzard Battle.Net up to 2.39.0.15212 on Windows and classified as critical. Affected by this issue is some unknown functionality in the library profapi.dll. The manipulation leads to uncontrolled search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor assigns this issue a low risk level. | ||||
| CVE-2025-1879 | 1 I-drive | 2 I11, I12 | 2025-07-13 | 2.4 Low |
| A vulnerability was found in i-Drive i11 and i12 up to 20250227 and classified as problematic. This issue affects some unknown processing of the component APK. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the physical device. It was not possible to identify the current maintainer of the product. It must be assumed that the product is end-of-life. | ||||
| CVE-2025-1897 | 1 Tenda | 1 Tx3 | 2025-07-13 | 6.5 Medium |
| A vulnerability, which was classified as critical, has been found in Tenda TX3 16.03.13.11_multi. This issue affects some unknown processing of the file /goform/SetNetControlList. The manipulation of the argument list leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-20014 | 1 Myscada | 1 Mypro Manager | 2025-07-13 | 9.8 Critical |
| mySCADA myPRO does not properly neutralize POST requests sent to a specific port with version information. This vulnerability could be exploited by an attacker to execute arbitrary commands on the affected system. | ||||
| CVE-2025-20242 | 1 Cisco | 1 Unified Contact Center Enterprise | 2025-07-13 | 6.5 Medium |
| A vulnerability in the Cloud Connect component of Cisco Unified Contact Center Enterprise (CCE) could allow an unauthenticated, remote attacker to read and modify data on an affected device. This vulnerability is due to a lack of proper authentication controls. An attacker could exploit this vulnerability by sending crafted TCP data to a specific port on an affected device. A successful exploit could allow the attacker to read or modify data on the affected device. | ||||