Total
305841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5125 | 1 Lollms | 1 Lollms-webui | 2025-07-07 | N/A | 7.3 HIGH |
| parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module. | |||||
| CVE-2024-51459 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-07-07 | N/A | 8.4 HIGH |
| IBM InfoSphere Information Server 11.7 could allow a local user to execute privileged commands due to the improper handling of permissions. | |||||
| CVE-2024-46450 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2025-07-07 | N/A | 8.1 HIGH |
| Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass authentication via a crafted web request. | |||||
| CVE-2024-40503 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2025-07-07 | N/A | 6.5 MEDIUM |
| An issue in Tenda AX12 v.16.03.49.18_cn+ allows a remote attacker to cause a denial of service via the Routing functionality and ICMP packet handling. | |||||
| CVE-2024-51477 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-07-07 | N/A | 4.3 MEDIUM |
| IBM InfoSphere Information Server 11.7 could allow an authenticated to obtain sensitive username information due to an observable response discrepancy. | |||||
| CVE-2024-48192 | 1 Tenda | 2 G3, G3 Firmware | 2025-07-07 | N/A | 8.0 HIGH |
| Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root | |||||
| CVE-2024-40412 | 1 Tenda | 2 Ax12, Ax12 Firmware | 2025-07-07 | N/A | 6.8 MEDIUM |
| Tenda AX12 v1.0 v22.03.01.46 contains a stack overflow in the deviceList parameter of the sub_42E410 function. | |||||
| CVE-2024-51568 | 1 Cyberpanel | 1 Cyberpanel | 2025-07-07 | N/A | 10.0 CRITICAL |
| CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. | |||||
| CVE-2024-50983 | 1 Getflightpath | 1 Flightpath | 2025-07-07 | N/A | 5.4 MEDIUM |
| FlightPath 7.5 contains a Cross Site Scripting (XSS) vulnerability, which allows authenticated remote attackers with administrative rights to inject arbitrary JavaScript in the web browser of a user by including a malicious payload into the Last Name section in the Create/Edit Faculty/Staff User or Create/Edit Student User sections. | |||||
| CVE-2024-40515 | 1 Tenda | 2 Ax2 Pro, Ax2 Pro Firmware | 2025-07-07 | N/A | 9.8 CRITICAL |
| An issue in SHENZHEN TENDA TECHNOLOGY CO.,LTD Tenda AX2pro V16.03.29.48_cn allows a remote attacker to execute arbitrary code via the Routing functionality. | |||||
| CVE-2024-33365 | 1 Tenda | 2 Ac10, Ac10 Firmware | 2025-07-07 | N/A | 7.5 HIGH |
| Buffer Overflow vulnerability in Tenda AC10 v4 US_AC10V4.0si_V16.03.10.20_cn allows a remote attacker to execute arbitrary code via the Virtual_Data_Check function in the bin/httpd component. | |||||
| CVE-2024-6165 | 1 Wanotifier | 1 Wanotifier | 2025-07-07 | N/A | 4.8 MEDIUM |
| The WANotifier WordPress plugin before 2.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-29030 | 1 Usememos | 1 Memos | 2025-07-07 | N/A | 5.8 MEDIUM |
| memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file. | |||||
| CVE-2024-8267 | 1 Softlabbd | 1 Radio Player | 2025-07-07 | N/A | 6.4 MEDIUM |
| The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute within the 'wp:radio-player' Gutenberg block in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-5813 | 1 Suhailahmad64 | 1 Amazon Products To Woocommerce | 2025-07-07 | N/A | 5.3 MEDIUM |
| The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces. | |||||
| CVE-2024-29028 | 1 Usememos | 1 Memos | 2025-07-07 | N/A | 5.8 MEDIUM |
| memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1. | |||||
| CVE-2024-11089 | 1 Tarassych | 1 Anonymous Restricted Content | 2025-07-07 | N/A | 5.3 MEDIUM |
| The Anonymous Restricted Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to logged-in users. | |||||
| CVE-2025-5932 | 1 Coolrunner | 1 Homerunner | 2025-07-07 | N/A | 4.3 MEDIUM |
| The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-1039 | 1 Wpmaspik | 1 Lenix Leads Collector | 2025-07-07 | N/A | 7.2 HIGH |
| The Lenix Elementor Leads addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a URL form field in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-4683 | 1 Inspireui | 1 Mstore Api | 2025-07-07 | N/A | 4.3 MEDIUM |
| The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts. | |||||