Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40126 | 1 Clash Project | 1 Clash | 2025-05-21 | N/A | 7.8 HIGH |
| A misconfiguration in the Service Mode profile directory of Clash for Windows v0.19.9 allows attackers to escalate privileges and execute arbitrary commands when Service Mode is activated. | |||||
| CVE-2022-3287 | 1 Fwupd | 1 Fwupd | 2025-05-20 | N/A | 6.5 MEDIUM |
| When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. | |||||
| CVE-2023-45160 | 1 1e | 1 Client | 2025-05-20 | N/A | 8.8 HIGH |
| In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. The 1E Client's temporary directory is now locked down in the released patch. Resolution: This has been fixed in patch Q23094 This issue has also been fixed in the Mac Client in updated versions of Non-Windows release v8.1.2.62 - please re-download from the 1E Support site. Customers with Mac Client versions higher than v8.1 will need to upgrade to v23.11 to remediate this vulnerability. | |||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-19 | N/A | 7.5 HIGH |
| Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | |||||
| CVE-2025-21264 | 1 Microsoft | 1 Visual Studio Code | 2025-05-19 | N/A | 7.1 HIGH |
| Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. | |||||
| CVE-2025-32819 | 1 Sonicwall | 12 Sma 100, Sma 100 Firmware, Sma 200 and 9 more | 2025-05-19 | N/A | 8.8 HIGH |
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. | |||||
| CVE-2025-4909 | 2025-05-19 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4807 | 2025-05-19 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-22240 | 1 Vmware | 1 Aria Operations For Networks | 2025-05-15 | N/A | 4.9 MEDIUM |
| Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information. | |||||
| CVE-2025-2651 | 1 Oretnom23 | 1 Online Eyewear Shop | 2025-05-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected. | |||||
| CVE-2022-42234 | 1 Ucms Project | 1 Ucms | 2025-05-14 | N/A | 8.8 HIGH |
| There is a file inclusion vulnerability in the template management module in UCMS 1.6 | |||||
| CVE-2025-21609 | 1 B3log | 1 Siyuan | 2025-05-14 | N/A | 9.1 CRITICAL |
| SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. | |||||
| CVE-2024-45627 | 1 Apache | 1 Linkis | 2025-05-13 | N/A | 5.9 MEDIUM |
| In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0. | |||||
| CVE-2025-2038 | 1 Code-projects | 1 Blood Bank Management System | 2025-05-13 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2834 | 1 Helpful Project | 1 Helpful | 2025-05-13 | N/A | 5.3 MEDIUM |
| The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings | |||||
| CVE-2024-57452 | 1 1000mz | 1 Chestnutcms | 2025-05-13 | N/A | 7.5 HIGH |
| ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder. | |||||
| CVE-2024-4981 | 2025-05-13 | N/A | 7.6 HIGH | ||
| A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo. | |||||
| CVE-2024-4098 | 1 Datenverwurstungszentrale | 1 Shariff Wrapper | 2025-05-09 | N/A | 9.8 CRITICAL |
| The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2022-43414 | 1 Jenkins | 1 Nunit | 2025-05-08 | N/A | 5.3 MEDIUM |
| Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. | |||||
| CVE-2022-23738 | 1 Github | 1 Enterprise Server | 2025-05-06 | N/A | 5.7 MEDIUM |
| An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator visit a specially crafted URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program. | |||||