Vulnerabilities (CVE)

Total 300438 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-6512 2025-06-23 N/A 10.0 CRITICAL
On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights.
CVE-2025-52557 2025-06-23 N/A N/A
Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81.
CVE-2025-6393 2025-06-23 9.0 HIGH 8.8 HIGH
A vulnerability was found in TOTOLINK A702R, A3002R, A3002RU and EX1200T 3.0.0-B20230809.1615/4.0.0-B20230531.1404/4.0.0-B20230721.1521/4.1.2cu.5232_B20210713. It has been classified as critical. Affected is an unknown function of the file /boafrm/formIPv6Addr of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-4563 2025-06-23 N/A 2.7 LOW
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
CVE-2025-6217 2025-06-23 N/A 3.8 LOW
PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of PEAK-System Driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of the PCANFD_ADD_FILTERS IOCTL. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-24161.
CVE-2025-25037 2025-06-23 N/A N/A
An information disclosure vulnerability exists in Aquatronica Controller System firmware versions <= 5.1.6 and web interface versions <= 2.0. The tcp.php endpoint fails to restrict unauthenticated access, allowing remote attackers to issue crafted POST requests and retrieve sensitive configuration data, including plaintext administrative credentials. Exploitation of this flaw can lead to full compromise of the system, enabling unauthorized manipulation of connected devices and aquarium parameters.
CVE-2025-52488 2025-06-23 N/A 8.6 HIGH
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
CVE-2025-27893 1 Archerirm 1 Archer 2025-06-23 N/A 1.8 LOW
In Archer Platform 6 through 6.14.00202.10024, an authenticated user with record creation privileges can manipulate immutable fields, such as the creation date, by intercepting and modifying a Copy request via a GenericContent/Record.aspx?id= URI. This enables unauthorized modification of system-generated metadata, compromising data integrity and potentially impacting auditing, compliance, and security controls.
CVE-2025-25908 1 Tianti Project 1 Tianti 2025-06-23 N/A 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in tianti v2.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the coverImageURL parameter at /article/ajax/save.
CVE-2024-55199 1 Celk 1 Celk Saude 2025-06-23 N/A 5.4 MEDIUM
A Stored Cross Site Scripting (XSS) vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser.
CVE-2024-53307 1 Evisions 1 Maps 2025-06-23 N/A 5.4 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in the /mw/ endpoint of Evisions MAPS v6.10.2.267 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
CVE-2025-25940 1 Visicut 1 Visicut 2025-06-23 N/A 9.8 CRITICAL
VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.
CVE-2025-28197 1 Kidocode 1 Crawl4ai 2025-06-23 N/A 9.1 CRITICAL
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.
CVE-2025-3795 1 Daicuo 1 Daicuo 2025-06-23 3.3 LOW 2.4 LOW
A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-25382 1 Ikm 1 Sanchaya 2025-06-23 N/A 7.5 HIGH
An issue in the Property Tax Payment Portal in Information Kerala Mission SANCHAYA v3.0.4 allows attackers to arbitrarily modify payment amounts via a crafted request.
CVE-2025-25620 1 Changeweb 1 Unifiedtransform 2025-06-23 N/A 5.4 MEDIUM
Unifiedtransform 2.0 is vulnerable to Cross Site Scripting (XSS) in the Create assignment function.
CVE-2024-53591 1 Seclore 1 Seclore 2025-06-23 N/A 9.8 CRITICAL
An issue in the login page of Seclore v3.27.5.0 allows attackers to bypass authentication via a brute force attack.
CVE-2024-42733 1 Docmosis 1 Tornado 2025-06-23 N/A 9.8 CRITICAL
An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input
CVE-2025-27190 1 Adobe 3 Commerce, Commerce B2b, Magento 2025-06-23 N/A 5.3 MEDIUM
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
CVE-2025-3577 1 Zyxel 2 Amg1302-t10b, Amg1302-t10b Firmware 2025-06-23 N/A 4.9 MEDIUM
**UNSUPPORTED WHEN ASSIGNED** A path traversal vulnerability in the web management interface of the Zyxel AMG1302-T10B firmware version 2.00(AAJC.16)C0 could allow an authenticated attacker with administrator privileges to access restricted directories by sending a crafted HTTP request to an affected device.