Total
300438 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2025-6512 | 2025-06-23 | N/A | 10.0 CRITICAL | ||
On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights. | |||||
CVE-2025-52557 | 2025-06-23 | N/A | N/A | ||
Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81. | |||||
CVE-2025-6393 | 2025-06-23 | 9.0 HIGH | 8.8 HIGH | ||
A vulnerability was found in TOTOLINK A702R, A3002R, A3002RU and EX1200T 3.0.0-B20230809.1615/4.0.0-B20230531.1404/4.0.0-B20230721.1521/4.1.2cu.5232_B20210713. It has been classified as critical. Affected is an unknown function of the file /boafrm/formIPv6Addr of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-4563 | 2025-06-23 | N/A | 2.7 LOW | ||
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation. | |||||
CVE-2025-6217 | 2025-06-23 | N/A | 3.8 LOW | ||
PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of PEAK-System Driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the PCANFD_ADD_FILTERS IOCTL. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-24161. | |||||
CVE-2025-25037 | 2025-06-23 | N/A | N/A | ||
An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters. | |||||
CVE-2025-52488 | 2025-06-23 | N/A | 8.6 HIGH | ||
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1. | |||||
CVE-2025-27893 | 1 Archerirm | 1 Archer | 2025-06-23 | N/A | 1.8 LOW |
In Archer Platform 6 through 6.14.00202.10024, an authenticated user with record creation privileges can manipulate immutable fields, such as the creation date, by intercepting and modifying a Copy request via a GenericContent/Record.aspx?id= URI. This enables unauthorized modification of system-generated metadata, compromising data integrity and potentially impacting auditing, compliance, and security controls. | |||||
CVE-2025-25908 | 1 Tianti Project | 1 Tianti | 2025-06-23 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in tianti v2.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the coverImageURL parameter at /article/ajax/save. | |||||
CVE-2024-55199 | 1 Celk | 1 Celk Saude | 2025-06-23 | N/A | 5.4 MEDIUM |
A Stored Cross Site Scripting (XSS) vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser. | |||||
CVE-2024-53307 | 1 Evisions | 1 Maps | 2025-06-23 | N/A | 5.4 MEDIUM |
A reflected cross-site scripting (XSS) vulnerability in the /mw/ endpoint of Evisions MAPS v6.10.2.267 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||||
CVE-2025-25940 | 1 Visicut | 1 Visicut | 2025-06-23 | N/A | 9.8 CRITICAL |
VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java. | |||||
CVE-2025-28197 | 1 Kidocode | 1 Crawl4ai | 2025-06-23 | N/A | 9.1 CRITICAL |
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. | |||||
CVE-2025-3795 | 1 Daicuo | 1 Daicuo | 2025-06-23 | 3.3 LOW | 2.4 LOW |
A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-25382 | 1 Ikm | 1 Sanchaya | 2025-06-23 | N/A | 7.5 HIGH |
An issue in the Property Tax Payment Portal in Information Kerala Mission SANCHAYA v3.0.4 allows attackers to arbitrarily modify payment amounts via a crafted request. | |||||
CVE-2025-25620 | 1 Changeweb | 1 Unifiedtransform | 2025-06-23 | N/A | 5.4 MEDIUM |
Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function. | |||||
CVE-2024-53591 | 1 Seclore | 1 Seclore | 2025-06-23 | N/A | 9.8 CRITICAL |
An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack. | |||||
CVE-2024-42733 | 1 Docmosis | 1 Tornado | 2025-06-23 | N/A | 9.8 CRITICAL |
An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input | |||||
CVE-2025-27190 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2025-06-23 | N/A | 5.3 MEDIUM |
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | |||||
CVE-2025-3577 | 1 Zyxel | 2 Amg1302-t10b, Amg1302-t10b Firmware | 2025-06-23 | N/A | 4.9 MEDIUM |
**UNSUPPORTED WHEN ASSIGNED** A path traversal vulnerability in the web management interface of the Zyxel AMG1302-T10B firmware version 2.00(AAJC.16)C0 could allow an authenticated attacker with administrator privileges to access restricted directories by sending a crafted HTTP request to an affected device. |