Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2025-61786 Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission mo... | 3.3 | LOW | — | 0 |
| CVE-2025-61787 Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``C... | 8.1 | HIGH | — | 0 |
| CVE-2025-10494 The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all ve... | 8.1 | HIGH | — | 0 |
| CVE-2025-10649 The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-10587 The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied ... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-11204 The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.0.6.2 due to i... | 7.2 | HIGH | — | 0 |
| CVE-2025-10635 The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks | 7.7 | HIGH | — | 0 |
| CVE-2025-11171 The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an ... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-48464 Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim’s Sync account data such as account credentials and email protection information. | 4.7 | MEDIUM | — | 0 |
| CVE-2025-61524 An issue in the permission verification module and organization/application editing interface in Casdoor v2.26.0 and before, and fixed in v.2.63.0, allows remote authenticated administrators of any or... | 7.2 | HIGH | — | 0 |
| CVE-2025-11444 A security vulnerability has been detected in TOTOLINK N600R up to 4.3.0cu.7866_B20220506. This impacts the function setWiFiBasicConfig of the file /cgi-bin/cstecgi.cgi of the component HTTP Request H... | 8.8 | HIGH | — | 0 |
| CVE-2025-60375 The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in th... | 7.3 | HIGH | — | 0 |
| CVE-2025-60298 Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-60299 Novel-Plus with 5.2.0 was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability via the /book/addCommentReply endpoint. An authenticated user can inject malicious JavaScript through ... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-60314 Configuroweb Sistema Web de Inventario 1.0 is vulnerable to a Stored Cross-Site Scripting (XSS) due to the lack of input sanitization on the product name parameter (Nombre:Producto) allowing an authen... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-60828 WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-60830 redragon-erp v1.0 was discovered to contain a Shiro deserialization vulnerability caused by the default Shiro key. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-60833 An XML External Entity (XXE) vulnerability in the /mall/wxpay/pay component of uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying crafted XML data. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-61183 Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php | 6.1 | MEDIUM | — | 0 |
| CVE-2025-60313 Sourcecodester Link Status Checker 1.0 is vulnerable to a Cross-Site Scripting (XSS) in the Enter URLs to check input field. This allows a remote attacker to execute arbitrary code. | 6.1 | MEDIUM | — | 0 |
| CVE-2025-60834 A fastjson deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying a crafted input. | 6.5 | MEDIUM | — | 0 |
| CVE-2025-61672 Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to... | N/A | NONE | — | 0 |
| CVE-2025-36636 In Tenable Security Center versions prior to 6.7.0, an improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope. | 4.3 | MEDIUM | — | 0 |
| CVE-2025-59303 HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an i... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-5009 In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet... | N/A | NONE | — | 0 |
| CVE-2025-60318 SourceCodester Pet Grooming Management Software 1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the fname (First Name) and lname (Last Name) fields. | 6.1 | MEDIUM | — | 0 |
| CVE-2025-53967 Framelink Figma MCP Server before 0.6.3 allows an unauthenticated remote attacker to execute arbitrary operating system commands via a crafted HTTP POST request with shell metacharacters in input that... | 8.0 | HIGH | — | 0 |
| CVE-2025-9970 Cleartext Storage of Sensitive Information in Memory vulnerability in ABB MConfig.This issue affects MConfig: through 1.4.9.21. | 7.4 | HIGH | — | 0 |
| CVE-2025-21058 Improper access control in Routines prior to version 4.8.7.1 in Android 15 and 4.9.6.0 in Android 16 allows local attackers to potentially execute arbitrary code with SystemUI privilege. | 7.3 | HIGH | — | 0 |
| CVE-2025-42701 A race condition exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix ... | 5.6 | MEDIUM | — | 0 |
| CVE-2025-42706 A logic error exists in the Falcon sensor for Windows that could allow an attacker, with the prior ability to execute code on a host, to delete arbitrary files. CrowdStrike released a security fix for... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-61788 Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metada... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-61906 Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video wi... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-9868 Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository crede... | N/A | NONE | — | 0 |
| CVE-2025-57457 An OS Command Injection vulnerability in the Admin panel in Curo UC300 5.42.1.7.1.63R1 allows local attackers to inject arbitrary OS Commands via the "IP Addr" parameter. | 8.8 | HIGH | — | 0 |
| CVE-2025-11539 Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath para... | 9.9 | CRITICAL | — | 0 |
| CVE-2025-54279 Animate versions 23.0.13, 24.0.10 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issu... | 7.8 | HIGH | — | 0 |
| CVE-2025-61804 Animate versions 23.0.13, 24.0.10 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation ... | 7.8 | HIGH | — | 0 |
| CVE-2011-10033 The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset... | N/A | NONE | — | 0 |
| CVE-2017-20204 DBLTek GoIP devices (models GoIP 1, 4, 8, 16, and 32) contain an undocumented vendor backdoor in the Telnet administrative interface that allows remote authentication as an undocumented user via a pro... | N/A | NONE | — | 0 |
| CVE-2017-20205 Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a... | N/A | NONE | — | 0 |
| CVE-2025-62448 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2025-62668 Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension... | N/A | NONE | — | 0 |
| CVE-2018-25117 VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised install... | N/A | NONE | — | 0 |
| CVE-2023-7311 BYTEVALUE Intelligent Flow Control Router contains a command injection vulnerability via the /goform/webRead/open endpoint. The `path` parameter is not properly validated and is echoed into a shell co... | N/A | NONE | — | 0 |
| CVE-2025-54268 Bridge versions 14.1.8, 15.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of ... | 7.8 | HIGH | — | 0 |
| CVE-2025-54278 Bridge versions 14.1.8, 15.1.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sens... | 5.5 | MEDIUM | — | 0 |
| CVE-2025-11746 The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authentica... | 8.8 | HIGH | — | 0 |
| CVE-2025-62440 Rejected reason: Not used | N/A | NONE | — | 0 |
| CVE-2025-62441 Rejected reason: Not used | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.