Total
8367 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3059 | 1 Profile Private Project | 1 Profile Private | 2025-09-02 | N/A | 5.3 MEDIUM |
| Vulnerability in Drupal Profile Private.This issue affects Profile Private: *.*. | |||||
| CVE-2025-57756 | 1 Contao | 1 Contao | 2025-09-02 | N/A | 5.3 MEDIUM |
| Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search. | |||||
| CVE-2025-57757 | 1 Contao | 1 Contao | 2025-09-02 | N/A | 5.3 MEDIUM |
| Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page. | |||||
| CVE-2024-9945 | 2025-08-29 | N/A | 5.3 MEDIUM | ||
| An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders. | |||||
| CVE-2024-6633 | 1 Fortra | 1 Filecatalyst Workflow | 2025-08-29 | N/A | 9.8 CRITICAL |
| The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB. | |||||
| CVE-2025-58061 | 2025-08-29 | N/A | 5.5 MEDIUM | ||
| OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Prior to version 0.10.0, persistent volume data is world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload. The rawfile-localpv storage class creates persistent volume data under /var/csi/rawfile/ on Kubernetes hosts by default. However, the directory and data in it are world-readable. It allows non-privileged users to access the whole persistent volume data, and those can include sensitive information such as a whole database if the Kubernetes tenants are running MySQL or PostgreSQL in a container so it could lead to a database breach. This issue has been patched in version 0.10.0. | |||||
| CVE-2025-58059 | 2025-08-29 | N/A | 9.1 CRITICAL | ||
| Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: running executables on the application host, inspecting and extracting data from the host environment or application properties, spring beans (application context, database pooling). The following conditions have to be met in order to perform this attack: the user must be logged in, have the admin role, and must have some knowledge about running scripts via a the Camunda/Operator engine. Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. If no scripting is needed in any of the processes, it could be possible to disable it altogether via the ProcessEngineConfiguration. However, this workaround could lead to unexpected side-effects. | |||||
| CVE-2024-13982 | 2025-08-29 | N/A | N/A | ||
| SPON IP Network Broadcast System, a digital audio transmission platform developed by SPON Communications, contains an arbitrary file read vulnerability in the rj_get_token.php endpoint. The flaw arises from insufficient input validation on the jsondata[url] parameter, which allows attackers to perform directory traversal and access sensitive files on the server. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to read arbitrary files, potentially exposing system configuration, credentials, or internal logic. An affected version range is undefined. | |||||
| CVE-2024-13807 | 2025-08-29 | N/A | 7.5 HIGH | ||
| The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files. | |||||
| CVE-2025-20290 | 2025-08-29 | N/A | 5.5 MEDIUM | ||
| A vulnerability in the logging feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches in standalone NX-OS mode, Cisco UCS 6400 Fabric Interconnects, Cisco UCS 6500 Series Fabric Interconnects, and Cisco UCS 9108 100G Fabric Interconnects could allow an authenticated, local attacker access to sensitive information. This vulnerability is due to improper logging of sensitive information. An attacker could exploit this vulnerability by accessing log files on the file system where they are stored. A successful exploit could allow the attacker to access sensitive information, such as stored credentials. | |||||
| CVE-2015-0255 | 2 Opensuse, X.org | 2 Opensuse, X Server | 2025-08-29 | 6.4 MEDIUM | N/A |
| X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request. | |||||
| CVE-2017-2624 | 2 Debian, X.org | 2 Debian Linux, X Server | 2025-08-29 | 1.9 LOW | 5.9 MEDIUM |
| It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack. | |||||
| CVE-2025-8525 | 1 Exrick | 1 Xboot | 2025-08-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-9005 | 1 Mtons | 1 Mblog | 2025-08-27 | 2.6 LOW | 3.7 LOW |
| A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-34704 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2025-08-27 | N/A | 4.7 MEDIUM |
| Windows Defender Credential Guard Information Disclosure Vulnerability | |||||
| CVE-2022-31674 | 1 Vmware | 1 Vrealize Operations | 2025-08-27 | N/A | 4.3 MEDIUM |
| VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure. | |||||
| CVE-2025-7874 | 1 Metasoft | 1 Metacrm | 2025-08-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /env.jsp. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-8519 | 1 Vvveb | 1 Vvveb | 2025-08-27 | 3.3 LOW | 2.7 LOW |
| A vulnerability classified as problematic has been found in givanz Vvveb up to 1.0.5. This affects an unknown part of the file /vadmin123/index.php?module=editor/editor of the component Drag-and-Drop Editor. The manipulation of the argument url leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The identifier of the patch is f684f3e374d04db715730fc4796e102f5ebcacb2. It is recommended to upgrade the affected component. | |||||
| CVE-2015-8095 | 2 Drupal, Monster Menus Project | 2 Drupal, Monster Menus | 2025-08-27 | 5.0 MEDIUM | N/A |
| The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. | |||||
| CVE-2024-32963 | 1 Navidrome | 1 Navidrome | 2025-08-26 | N/A | 4.2 MEDIUM |
| Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||