Total
293096 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46225 | 1 Migaweb | 1 Post In Page For Elementor | 2025-05-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS. This issue affects Post in page for Elementor: from n/a through 1.0.1. | ||||
| CVE-2025-20957 | 2025-05-07 | 7.3 High | ||
| Improper access control in SmartManagerCN prior to SMR May-2025 Release 1 allows local attackers to launch arbitrary activities with SmartManagerCN privilege. | ||||
| CVE-2025-46226 | 1 Mpl-publisher | 1 Mpl-publisher | 2025-05-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS. This issue affects MPL-Publisher: from n/a through 2.18.0. | ||||
| CVE-2025-46227 | 1 Brechtvds | 1 Custom Related Posts | 2025-05-07 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4. | ||||
| CVE-2024-13326 | 1 Ibuildapp | 1 Ibuildapp | 2025-05-07 | 6.1 Medium |
| The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-4372 | 2025-05-07 | 8.8 High | ||
| Use after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-4316 | 2025-05-07 | 4.3 Medium | ||
| Improper access control in PAM feature in Devolutions Server 2025.1.6.0 and earlier allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. | ||||
| CVE-2025-45751 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-05-07 | 5.4 Medium |
| SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field. | ||||
| CVE-2025-45514 | 2025-05-07 | N/A | ||
| Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.frmL7ImForm. | ||||
| CVE-2025-45388 | 2025-05-07 | N/A | ||
| Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes. | ||||
| CVE-2025-32821 | 2025-05-07 | 7.1 High | ||
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance. | ||||
| CVE-2025-32820 | 2025-05-07 | 8.3 High | ||
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable. | ||||
| CVE-2025-29746 | 2025-05-07 | N/A | ||
| Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components | ||||
| CVE-2025-28168 | 2025-05-07 | 4.3 Medium | ||
| Outsystems Multiple File Upload < 3.1.0 is vulnerable to Unrestricted File Upload. The vulnerability is because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify the parameter to bypass extension restrictions and upload arbitrary files. | ||||
| CVE-2024-58135 | 2025-05-07 | 5.3 Medium | ||
| Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys. | ||||
| CVE-2022-3363 | 1 Ikus-soft | 1 Rdiffweb | 2025-05-07 | 9.8 Critical |
| Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7. | ||||
| CVE-2022-39944 | 1 Apache | 1 Linkis | 2025-05-07 | 8.8 High |
| In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0. | ||||
| CVE-2022-37202 | 1 Jflyfox | 1 Jfinal Cms | 2025-05-07 | 8.8 High |
| JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list | ||||
| CVE-2022-32407 | 1 Softr | 1 Softr | 2025-05-07 | 6.1 Medium |
| Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2022-31898 | 1 Gl-inet | 4 Gl-ax1800, Gl-ax1800 Firmware, Gl-mt300n-v2 and 1 more | 2025-05-07 | 6.8 Medium |
| gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters. | ||||