Total
298979 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4840 | 2025-06-12 | N/A | 7.5 HIGH | ||
| The inprosysmedia-likes-dislikes-post WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | |||||
| CVE-2025-4577 | 2025-06-12 | N/A | 6.4 MEDIUM | ||
| The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-40625 | 2025-06-12 | N/A | 5.5 MEDIUM | ||
| GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0. | |||||
| CVE-2025-43586 | 2025-06-12 | N/A | 8.1 HIGH | ||
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-27206 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-33070 | 2025-06-12 | N/A | 8.1 HIGH | ||
| Use of uninitialized resource in Windows Netlogon allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-48067 | 2025-06-12 | N/A | 5.4 MEDIUM | ||
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability is fixed in 1.11.2. | |||||
| CVE-2025-27817 | 2025-06-12 | N/A | 7.5 HIGH | ||
| A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly. | |||||
| CVE-2025-32722 | 2025-06-12 | N/A | 5.5 MEDIUM | ||
| Improper access control in Windows Storage Port Driver allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-24068 | 2025-06-12 | N/A | 5.5 MEDIUM | ||
| Buffer over-read in Windows Storage Management Provider allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-36578 | 2025-06-12 | N/A | 6.8 MEDIUM | ||
| Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Incorrect Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | |||||
| CVE-2025-0051 | 2025-06-12 | N/A | N/A | ||
| Improper input validation performed during the authentication process of FlashArray could lead to a system Denial of Service. | |||||
| CVE-2025-43581 | 2025-06-12 | N/A | 7.8 HIGH | ||
| Substance3D - Sampler versions 5.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2025-22829 | 2025-06-12 | N/A | N/A | ||
| The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue. | |||||
| CVE-2025-47968 | 2025-06-12 | N/A | 7.8 HIGH | ||
| Improper input validation in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47171 | 2025-06-12 | N/A | 6.7 MEDIUM | ||
| Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally. | |||||
| CVE-2025-47173 | 2025-06-12 | N/A | 7.8 HIGH | ||
| Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally. | |||||
| CVE-2025-47174 | 2025-06-12 | N/A | 7.8 HIGH | ||
| Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | |||||
| CVE-2025-47969 | 2025-06-12 | N/A | 4.4 MEDIUM | ||
| Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally. | |||||
| CVE-2025-47172 | 2025-06-12 | N/A | 8.8 HIGH | ||
| Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||