Total
301191 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-28201 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | N/A | 6.8 MEDIUM |
| An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access. | |||||
| CVE-2024-8702 | 1 Wpproking | 1 Backup Database | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-32407 | 1 Samsung | 1 Internet | 2025-06-12 | N/A | 5.9 MEDIUM |
| Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration in the way the browser validates the identity of the server. It negates the use of HTTPS as a secure channel, allowing for Man-in-the-Middle attacks, stealing sensitive information or modifying incoming and outgoing traffic. NOTE: This vulnerability is in an end-of-life product that is no longer maintained by the vendor. | |||||
| CVE-2025-4190 | 1 Aleapp | 1 Csv Mass Importer | 2025-06-12 | N/A | 7.2 HIGH |
| The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | |||||
| CVE-2025-48187 | 1 Infiniflow | 1 Ragflow | 2025-06-12 | N/A | 9.1 CRITICAL |
| RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting. | |||||
| CVE-2025-47273 | 2 Debian, Python | 2 Debian Linux, Setuptools | 2025-06-12 | N/A | 8.8 HIGH |
| setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. | |||||
| CVE-2025-28202 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | N/A | 8.8 HIGH |
| Incorrect access control in Victure RX1800 EN_V1.0.0_r12_110933 allows attackers to enable SSH and Telnet services without authentication. | |||||
| CVE-2025-47945 | 1 Donetick | 1 Donetick | 2025-06-12 | N/A | 9.1 CRITICAL |
| Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch. | |||||
| CVE-2025-4863 | 1 Advayasoftech | 1 Gems Erp Portal | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in Advaya Softech GEMS ERP Portal 2.1. This affects an unknown part of the file /studentLogin/studentLogin.action. The manipulation of the argument userId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4866 | 1 Weibo | 1 Rill-flow | 2025-06-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in weibocom rill-flow 0.1.18. It has been classified as critical. Affected is an unknown function of the component Management Console. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4871 | 1 Pcman | 1 Ftp Server | 2025-06-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, has been found in PCMan FTP Server 2.0.7. This issue affects some unknown processing of the component REST Command Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4872 | 1 Freefloat | 1 Ftp Server | 2025-06-12 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. Affected is an unknown function of the component CCC Command Handler. The manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4905 | 1 Washington | 1 Basestation | 2025-06-12 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far. | |||||
| CVE-2025-28371 | 1 Engeniustech | 2 Enh500, Enh500 Firmware | 2025-06-12 | N/A | 6.5 MEDIUM |
| EnGenius ENH500 AP 2T2R V3.0 FW3.7.22 is vulnerable to Incorrect Access Control via the password change function. The device fails to validate the current password, allowing an attacker to submit a password change request with an invalid current password and set a new password. | |||||
| CVE-2025-44108 | 1 Flatpress | 1 Flatpress | 2025-06-12 | N/A | 4.8 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the administration panel of Flatpress CMS before 1.4 via the gallery captions component. An attacker with admin privileges can inject a malicious JavaScript payload into the system, which is then stored persistently. | |||||
| CVE-2024-55063 | 1 Easyvirt | 1 Dc Netscope | 2025-06-12 | N/A | 8.8 HIGH |
| Multiple Code Injection vulnerabilities in EasyVirt DC NetScope <= 8.7.0 allows remote authenticated attackers to execute arbitrary code via the (1) lang parameter to /international/keyboard/options; the (2) keyboard_layout or (3) keyboard_variant parameter to /international/settings/keyboard; the (4) timezone parameter to /international/settings/timezone. | |||||
| CVE-2025-30072 | 1 Tiiwee | 2 Twx1hakv2, Twx1hakv2 Firmware | 2025-06-12 | N/A | 7.6 HIGH |
| Tiiwee X1 Alarm System TWX1HAKV2 allows Authentication Bypass by Capture-replay, leading to physical Access to the protected facilities without triggering an alarm. | |||||
| CVE-2025-3908 | 2 Linux, Openvpn | 2 Linux Kernel, Openvpn3linux | 2025-06-12 | N/A | 6.2 MEDIUM |
| The configuration initialization tool in OpenVPN 3 Linux v20 through v24 on Linux allows a local attacker to use symlinks pointing at an arbitrary directory which will change the ownership and permissions of that destination directory. | |||||
| CVE-2025-28203 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | N/A | 8.8 HIGH |
| Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability. | |||||
| CVE-2025-43714 | 1 Openai | 1 Chatgpt | 2025-06-12 | N/A | 6.5 MEDIUM |
| The ChatGPT system through 2025-03-30 performs inline rendering of SVG documents (instead of, for example, rendering them as text inside a code block), which enables HTML injection within most modern graphical web browsers. | |||||