Total
318713 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11990 | 1 Gitlab | 1 Gitlab | 2025-11-18 | 3.1 Low |
| GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | ||||
| CVE-2025-11865 | 1 Gitlab | 1 Gitlab | 2025-11-18 | 4.3 Medium |
| An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | ||||
| CVE-2025-2615 | 1 Gitlab | 1 Gitlab | 2025-11-18 | 4.3 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. | ||||
| CVE-2025-12182 | 2 Qodeinteractive, Wordpress | 2 Qi Blocks, Wordpress | 2025-11-18 | 4.3 Medium |
| The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images. | ||||
| CVE-2025-4617 | 2 Microsoft, Paloaltonetworks | 2 Windows, Prisma Browser | 2025-11-18 | N/A |
| An insufficient policy enforcement vulnerability in Palo Alto Networks Prisma® Browser on Windows allows a locally authenticated non-admin user to bypass the screenshot control feature of the browser. Browser self-protection should be enabled to mitigate this issue. | ||||
| CVE-2025-4618 | 2 Palo Alto Networks, Paloaltonetworks | 2 Prisma Browser, Prisma Browser | 2025-11-18 | N/A |
| A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser. Browser self-protection should be enabled to mitigate this issue. | ||||
| CVE-2018-25125 | 1 Netis-systems | 2 Dl4322d, Dl4343 Firmware | 2025-11-18 | N/A |
| Netis ADSL Router DL4322D firmware RTK 2.1.1 contains a buffer overflow vulnerability in the embedded FTP service that allows an authenticated remote user to trigger a denial of service. After logging in to the FTP service, sending an FTP command such as ABOR with an excessively long argument causes the service, and in practice the router, to crash or become unresponsive, resulting in a loss of availability for the device and connected users. | ||||
| CVE-2025-6171 | 1 Gitlab | 1 Gitlab | 2025-11-18 | 5.3 Medium |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. | ||||
| CVE-2025-59780 | 1 General Industrial Controls | 1 Lynx+ Gateway | 2025-11-18 | 7.5 High |
| General Industrial Controls Lynx+ Gateway is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information. | ||||
| CVE-2025-13181 | 1 Pojoin | 1 H3blog | 2025-11-18 | 3.5 Low |
| A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-54348 | 1 Desktopalert | 1 Pingalert | 2025-11-18 | 6.5 Medium |
| A Stored Cross Site Scripting (XSS) vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to hijack user’s browser, capturing sensitive information. | ||||
| CVE-2025-54561 | 1 Desktopalert | 1 Pingalert | 2025-11-18 | 4.3 Medium |
| An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows remote access to content despite lack of the correct permission through a Broken Authorization Schema. | ||||
| CVE-2025-12482 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 7.5 High |
| The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-12494 | 2 Wordpress, Wpchill | 2 Wordpress, Image Photo Gallery Final Tiles Grid | 2025-11-18 | 4.3 Medium |
| The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server. | ||||
| CVE-2025-13172 | 1 Codeastro | 1 Gym Management System | 2025-11-18 | 6.3 Medium |
| A security flaw has been discovered in CodeAstro Gym Management System 1.0. Affected is an unknown function of the file /admin/view-member-report.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-63291 | 1 Alteryx | 1 Alteryx Server | 2025-11-18 | 5.4 Medium |
| When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys. | ||||
| CVE-2025-63701 | 1 Advantech | 1 Tp-3250 | 2025-11-18 | 6.8 Medium |
| A heap corruption vulnerability exists in the Advantech TP-3250 printer driver's DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes the output buffer size matches the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause denial of service through application crashes and potentially lead to code execution in user space. Local access is required to exploit this vulnerability. | ||||
| CVE-2025-63724 | 1 Meeco | 1 Svx Portal | 2025-11-18 | 6 Medium |
| SQL injection (SQL-i) vulnerability in SVX Portal 2.7A via crafted POST request to admin/update_setings.php. | ||||
| CVE-2025-63744 | 1 Radare | 1 Radare2 | 2025-11-18 | 4.3 Medium |
| A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program. | ||||
| CVE-2025-63891 | 1 Sourcecodester | 1 Simple Online Book Store System | 2025-11-18 | 7.5 High |
| Information Disclosure in web-accessible backup file in SourceCodester Simple Online Book Store System allows a remote unauthenticated attacker to disclose full database contents (including schema and credential hashes) via an unauthenticated HTTP GET request to /obs/database/obs_db.sql. | ||||