Total
32090 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3164 | 1 Dotcms | 1 Dotcms | 2025-06-27 | N/A | 4.5 MEDIUM |
| In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System Maintenance → Tools portlet. This would share database username and password under Log Files and download DB Dump and other dotCMS Content under Tools. Nothing in the System → Maintenance should be displayed for users with site admin role. Only system admins must have access to System Maintenance. OWASP Top 10 - A01) Broken Access Control OWASP Top 10 - A04) Insecure Design | |||||
| CVE-2019-15024 | 1 Clickhouse | 1 Clickhouse | 2025-06-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| In all versions of ClickHouse before 19.14.3, an attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem. | |||||
| CVE-2025-0289 | 1 Paragon-software | 6 Paragon Backup \& Recovery, Paragon Disk Wiper, Paragon Drive Copy and 3 more | 2025-06-25 | N/A | 7.8 HIGH |
| Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service. | |||||
| CVE-2025-0288 | 1 Paragon-software | 6 Paragon Backup \& Recovery, Paragon Disk Wiper, Paragon Drive Copy and 3 more | 2025-06-25 | N/A | 7.8 HIGH |
| Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation. | |||||
| CVE-2023-40440 | 1 Apple | 1 Macos | 2025-06-25 | N/A | 7.5 HIGH |
| This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted. | |||||
| CVE-2022-30197 | 1 Microsoft | 5 Windows 10, Windows 11, Windows Server 2016 and 2 more | 2025-06-24 | N/A | 5.5 MEDIUM |
| Windows Kernel Information Disclosure Vulnerability | |||||
| CVE-2022-30194 | 1 Microsoft | 10 Windows 10, Windows 11, Windows 7 and 7 more | 2025-06-24 | N/A | 7.5 HIGH |
| Windows WebBrowser Control Remote Code Execution Vulnerability | |||||
| CVE-2022-30176 | 1 Microsoft | 1 Azure Real Time Operating System Guix Studio | 2025-06-24 | N/A | 7.8 HIGH |
| Azure RTOS GUIX Studio Remote Code Execution Vulnerability | |||||
| CVE-2022-30175 | 1 Microsoft | 1 Azure Real Time Operating System Guix Studio | 2025-06-24 | N/A | 7.8 HIGH |
| Azure RTOS GUIX Studio Remote Code Execution Vulnerability | |||||
| CVE-2022-44794 | 1 Objectfirst | 1 Ootbi | 2025-06-24 | N/A | 8.8 HIGH |
| An issue was discovered in Object First Ootbi BETA build 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in Object First Ootbi BETA build 1.0.13.1611. | |||||
| CVE-2024-11698 | 2 Apple, Mozilla | 3 Macos, Firefox, Thunderbird | 2025-06-24 | N/A | 9.8 CRITICAL |
| A flaw in handling fullscreen transitions may have inadvertently caused the application to become stuck in fullscreen mode when a modal dialog was opened during the transition. This issue left users unable to exit fullscreen mode using standard actions like pressing "Esc" or accessing right-click menus, resulting in a disrupted browsing experience until the browser is restarted. *This bug only affects the application when running on macOS. Other operating systems are unaffected.* This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2024-31483 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2025-06-24 | N/A | 4.9 MEDIUM |
| An authenticated sensitive information disclosure vulnerability exists in the CLI service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. | |||||
| CVE-2024-11184 | 1 Wp Enable Svg Project | 1 Wp Enable Svg | 2025-06-24 | N/A | 4.8 MEDIUM |
| The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts | |||||
| CVE-2024-8789 | 1 Lunary | 1 Lunary | 2025-06-23 | N/A | 7.5 HIGH |
| Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of service. An attacker can exploit this by submitting a specially crafted regular expression, causing the server to become unresponsive for an arbitrary length of time. | |||||
| CVE-2025-26413 | 1 Apache | 1 Kvrocks | 2025-06-23 | N/A | 7.5 HIGH |
| Improper Input Validation vulnerability in Apache Kvrocks. The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index of a string. So it will cause the server to crash due to its index is out of range. This issue affects Apache Kvrocks: through 2.11.1. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | |||||
| CVE-2023-52722 | 1 Artifex | 1 Ghostscript | 2025-06-23 | N/A | 5.5 MEDIUM |
| An issue was discovered in Artifex Ghostscript before 10.03.1. psi/zmisc1.c, when SAFER mode is used, allows eexec seeds other than the Type 1 standard. | |||||
| CVE-2025-30721 | 1 Oracle | 1 Mysql Server | 2025-06-23 | N/A | 4.0 MEDIUM |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H). | |||||
| CVE-2019-2483 | 1 Oracle | 1 Istore | 2025-06-23 | N/A | 8.2 HIGH |
| Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). | |||||
| CVE-2025-2558 | 1 The Wound Project | 1 The Wound | 2025-06-23 | N/A | 8.6 HIGH |
| The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server | |||||
| CVE-2025-29976 | 1 Microsoft | 1 Sharepoint Server | 2025-06-23 | N/A | 7.8 HIGH |
| Improper privilege management in Microsoft Office SharePoint allows an authorized attacker to elevate privileges locally. | |||||