Export limit exceeded: 337137 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337137 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5211 | 1 Phpgurukul | 1 Employee Record Management System | 2025-06-05 | 7.3 High |
| A vulnerability was found in PHPGurukul Employee Record Management System 1.3 and classified as critical. This issue affects some unknown processing of the file /myprofile.php. The manipulation of the argument EmpCode leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5212 | 1 Phpgurukul | 1 Employee Record Management System | 2025-06-05 | 7.3 High |
| A vulnerability was found in PHPGurukul Employee Record Management System 1.3. It has been classified as critical. Affected is an unknown function of the file /admin/editempexp.php. The manipulation of the argument emp1name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-5213 | 1 Jkev | 1 Responsive E-learning System | 2025-06-05 | 7.3 High |
| A vulnerability was found in projectworlds Responsive E-Learning System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/delete_file.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-44289 | 1 Dell | 1 Command\|configure | 2025-06-05 | 7.3 High |
| Dell Command | Configure versions prior to 4.11.0, contain an improper access control vulnerability. A local malicious standard user could potentially exploit this vulnerability while repairing/changing installation, leading to privilege escalation. | ||||
| CVE-2025-45387 | 1 Osticket | 1 Osticket | 2025-06-05 | 5.4 Medium |
| osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php. | ||||
| CVE-2025-3584 | 1 Thenewsletterplugin | 1 Newsletter | 2025-06-05 | 4.8 Medium |
| The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-4406 | 1 Kc Group E-commerce Software Project | 1 Kc Group E-commerce Software | 2025-06-05 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS.This issue affects E-Commerce Software: through 20231123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3662 | 1 Colorlib | 1 Fancybox | 2025-06-05 | 6.1 Medium |
| The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS | ||||
| CVE-2023-46480 | 1 Owncast Project | 1 Owncast | 2025-06-05 | 9.8 Critical |
| An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. | ||||
| CVE-2023-42501 | 2 Apache, Apache Software Foundation | 2 Superset, Apache Superset | 2025-06-05 | 4.3 Medium |
| Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources. | ||||
| CVE-2025-48999 | 1 Dataease | 1 Dataease | 2025-06-05 | 8.8 High |
| DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue. | ||||
| CVE-2025-49001 | 1 Dataease | 1 Dataease | 2025-06-05 | 9.8 Critical |
| DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available. | ||||
| CVE-2025-49002 | 1 Dataease | 1 Dataease | 2025-06-05 | 9.8 Critical |
| DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available. | ||||
| CVE-2025-5575 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2025-06-05 | 7.3 High |
| A vulnerability classified as critical was found in PHPGurukul Dairy Farm Shop Management System 1.3. This vulnerability affects unknown code of the file /add-product.php. The manipulation of the argument productname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-42849 | 1 Silverpeas | 1 Silverpeas | 2025-06-05 | 6.5 Medium |
| An issue in Silverpeas v.6.4.2 and lower allows a remote attacker to cause a denial of service via the password change function. | ||||
| CVE-2024-42850 | 1 Silverpeas | 1 Silverpeas | 2025-06-05 | 9.8 Critical |
| An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements. | ||||
| CVE-2024-39031 | 1 Silverpeas | 1 Silverpeas | 2025-06-05 | 5.4 Medium |
| In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event. | ||||
| CVE-2023-5604 | 1 Asgaros | 1 Asgaros Forum | 2025-06-05 | 9.8 Critical |
| The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution. | ||||
| CVE-2023-4297 | 2 Mediamanifesto, Mmm Simple File List | 2 Mmm Simple File List, Mmm Simple File List | 2025-06-05 | 4.3 Medium |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. | ||||
| CVE-2023-5942 | 2 Drelton, Medialist | 2 Medialist, Medialist | 2025-06-05 | 5.4 Medium |
| The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||