Total
298983 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3052 | 2025-06-12 | N/A | 8.2 HIGH | ||
| An arbitrary write vulnerability in Microsoft signed UEFI firmware allows for code execution of untrusted software. This allows an attacker to control its value, leading to arbitrary memory writes, including modification of critical firmware settings stored in NVRAM. Exploiting this vulnerability could enable security bypasses, persistence mechanisms, or full system compromise. | |||||
| CVE-2025-36574 | 2025-06-12 | N/A | 8.2 HIGH | ||
| Dell Wyse Management Suite, versions prior to WMS 5.2, contain an Absolute Path Traversal vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure and Unauthorized access. | |||||
| CVE-2025-49146 | 2025-06-12 | N/A | 8.2 HIGH | ||
| pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7. | |||||
| CVE-2025-4315 | 2025-06-12 | N/A | 8.8 HIGH | ||
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | |||||
| CVE-2025-5687 | 2025-06-12 | N/A | 7.8 HIGH | ||
| A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. *This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN 2.28.0 < (macOS). | |||||
| CVE-2025-41662 | 2025-06-12 | N/A | 8.8 HIGH | ||
| An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint tls_iotgen_setting). | |||||
| CVE-2025-4613 | 2025-06-12 | N/A | N/A | ||
| Path traversal in Google Web Designer's template handling versions prior to 16.3.0.0407 on Windows allows attacker to achieve remote code execution by tricking users into downloading a malicious ad template | |||||
| CVE-2024-56158 | 2025-06-12 | N/A | N/A | ||
| XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. | |||||
| CVE-2025-0163 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| IBM Security Verify Access Appliance and Docker 10.0 through 10.0.8 could allow a remote attacker to enumerate usernames due to an observable response discrepancy of disabled accounts. | |||||
| CVE-2025-4605 | 2025-06-12 | N/A | 5.5 MEDIUM | ||
| A maliciously crafted .usdc file, when loaded through Autodesk Maya, can force an uncontrolled memory allocation vulnerability. A malicious actor may leverage this vulnerability to cause a denial-of-service (DoS), or cause data corruption. | |||||
| CVE-2025-1478 | 2025-06-12 | N/A | 6.5 MEDIUM | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service. | |||||
| CVE-2025-49189 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies. | |||||
| CVE-2025-49199 | 2025-06-12 | N/A | 8.8 HIGH | ||
| The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information. | |||||
| CVE-2025-30085 | 2025-06-12 | N/A | N/A | ||
| Remote code execution vulnerability in RSForm!pro component 3.0.0 - 3.3.14 for Joomla was discovered. The issue occurs within the submission export feature and requires administrative access to the export feature. | |||||
| CVE-2025-49200 | 2025-06-12 | N/A | 6.5 MEDIUM | ||
| The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files. | |||||
| CVE-2025-49190 | 2025-06-12 | N/A | 4.3 MEDIUM | ||
| The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports. | |||||
| CVE-2025-4973 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin. | |||||
| CVE-2025-49198 | 2025-06-12 | N/A | 3.1 LOW | ||
| The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an active user by computing plausible tokens. | |||||
| CVE-2025-49148 | 2025-06-12 | N/A | 7.3 HIGH | ||
| ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5. | |||||
| CVE-2025-4275 | 2025-06-12 | N/A | 7.8 HIGH | ||
| Running the provided utility changes the certificate on any Insyde BIOS and then the attached .efi file can be launched. | |||||