CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-24673 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files w... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-24672 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 7.3 | HIGH | β | 0 |
| CVE-2026-24671 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-priv... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-24670 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create ne... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24669 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid pas... | 7.8 | HIGH | β | 0 |
| CVE-2026-24668 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add conte... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24667 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existi... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-24666 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-24665 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students ... | 8.7 | HIGH | β | 0 |
| CVE-2026-24664 The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identif... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22228 An authenticated user with high privileges may trigger a denialβofβservice condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Re... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-22220 A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the deviceβs web service to become unresponsive, resulting... | 4.5 | MEDIUM | β | 0 |
| CVE-2025-71179 Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bund... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-70849 Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-70841 Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed... | 10.0 | CRITICAL | β | 0 |
| CVE-2025-70758 chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.p... | 7.5 | HIGH | β | 0 |
| CVE-2025-70560 Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attac... | 8.4 | HIGH | β | 0 |
| CVE-2025-70559 pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An att... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-70311 JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | 6.5 | MEDIUM | β | 0 |
| CVE-2025-69983 FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attac... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69981 FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbi... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69971 FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forg... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69970 FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with aut... | 9.3 | CRITICAL | β | 0 |
| CVE-2025-69875 A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged... | 7.8 | HIGH | β | 0 |
| CVE-2025-69848 NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the Protec... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-69431 The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into ... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-69430 An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (versi... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-69429 The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can ... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-67189 A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates m... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-67188 A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properl... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-67187 A stack-based buffer overflow vulnerability was identified in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The flaw exists in the setIpQosRules interface of /lib/cste_modules/firewall.so where the comment... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-67186 TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` paramet... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-66374 CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. | 7.8 | HIGH | β | 0 |
| CVE-2025-65924 ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML i... | 4.1 | MEDIUM | β | 0 |
| CVE-2025-65923 A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious J... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-65875 An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | 8.8 | HIGH | β | 0 |
| CVE-2025-63624 SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-63372 Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-62599 eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode... | 8.6 | HIGH | β | 0 |
| CVE-2025-61506 An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-60865 Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. | 7.8 | HIGH | β | 0 |
| CVE-2025-59439 An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages le... | 7.5 | HIGH | β | 0 |
| CVE-2025-58348 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-58347 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-58346 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-58345 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-58344 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 6.2 | MEDIUM | β | 0 |
| CVE-2025-58343 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 5.5 | MEDIUM | β | 0 |
| CVE-2025-58342 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 6.2 | MEDIUM | β | 0 |
| CVE-2025-58341 An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allo... | 6.2 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.