Total
298990 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5195 | 2025-06-12 | N/A | 4.3 MEDIUM | ||
| An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure. | |||||
| CVE-2025-41661 | 2025-06-12 | N/A | 8.8 HIGH | ||
| An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint event_mail_test). | |||||
| CVE-2025-6021 | 2025-06-12 | N/A | 7.5 HIGH | ||
| A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. | |||||
| CVE-2025-29756 | 2025-06-12 | N/A | N/A | ||
| SunGrow's back end users system iSolarCloud https://isolarcloud.com uses an MQTT service to transport data from the user's connected devices to the user's web browser. The MQTT server however did not have sufficient restrictions in place to limit the topics that a user could subscribe to. While the data that is transmitted through the MQTT server is encrypted and the credentials for the MQTT server are obtained though an API call, the credentials could be used to subscribe to any topic and the encryption key can be used to decrypt all messages received. An attack with an account on iSolarCloud.com could extract MQTT credentials and the decryption key from the browser and then use an external program to subscribe to the topic '#' and thus recieve all messages from all connected devices. | |||||
| CVE-2024-35295 | 2025-06-12 | N/A | 6.1 MEDIUM | ||
| A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to the device's control unit configuration. This could allow an attacker with physical access to the maintenance connection's door port to perform arbitrary configuration changes. | |||||
| CVE-2025-32711 | 2025-06-12 | N/A | 9.3 CRITICAL | ||
| Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-40914 | 2025-06-12 | N/A | 9.8 CRITICAL | ||
| Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow. CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328. | |||||
| CVE-2025-22874 | 2025-06-12 | N/A | 7.5 HIGH | ||
| Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. | |||||
| CVE-2025-5991 | 2025-06-12 | N/A | N/A | ||
| There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses. This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1. | |||||
| CVE-2025-35978 | 2025-06-12 | N/A | 7.1 HIGH | ||
| Improper restriction of communication channel to intended endpoints issue exists in UpdateNavi V1.4 L10 to L33 and UpdateNaviInstallService Service 1.2.0091 to 1.2.0125. If a local authenticated attacker send malicious data, an arbitrary registry value may be modified or arbitrary code may be executed. | |||||
| CVE-2025-1698 | 2025-06-12 | N/A | 2.8 LOW | ||
| Null pointer exception vulnerabilities were reported in the fingerprint sensor service that could allow a local attacker to cause a denial of service. | |||||
| CVE-2025-1055 | 2025-06-12 | N/A | 5.6 MEDIUM | ||
| A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications. | |||||
| CVE-2025-4278 | 2025-06-12 | N/A | 8.7 HIGH | ||
| An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover. | |||||
| CVE-2025-40915 | 2025-06-12 | N/A | 7.0 HIGH | ||
| Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function. | |||||
| CVE-2025-32433 | 2 Cisco, Erlang | 35 Cloud Native Broadband Network Gateway, Confd Basic, Enterprise Nfv Infrastructure Software and 32 more | 2025-06-12 | N/A | 10.0 CRITICAL |
| Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. | |||||
| CVE-2024-8701 | 1 Snumb130 | 1 Events Calendar | 2025-06-12 | N/A | 4.8 MEDIUM |
| The events-calendar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-8492 | 1 Wpmudev | 1 Hustle | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-8398 | 1 Philipwalton | 1 Simple Nav Archives | 2025-06-12 | N/A | 4.3 MEDIUM |
| The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-8397 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 5.4 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context. | |||||
| CVE-2024-8286 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 6.5 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks | |||||