Total
319986 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63520 | 1 Feehi | 2 Feehi Cms, Feehicms | 2025-12-02 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | ||||
| CVE-2025-54851 | 1 Socomec | 1 Diris M-70 | 2025-12-02 | 7.5 High |
| A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | ||||
| CVE-2025-13835 | 2 Tychesoftwares, Wordpress | 2 Arconix Shortcodes, Wordpress | 2025-12-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19. | ||||
| CVE-2025-58044 | 1 Jumpserver | 1 Jumpserver | 2025-12-02 | N/A |
| JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5. | ||||
| CVE-2025-65403 | 1 Lightftp Project | 1 Lightftp | 2025-12-02 | 6.5 Medium |
| A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||||
| CVE-2025-12756 | 1 Mattermost | 2 Mattermost, Mattermost Boards | 2025-12-02 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | ||||
| CVE-2025-66302 | 1 Getgrav | 1 Grav | 2025-12-02 | 6.8 Medium |
| Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27. | ||||
| CVE-2025-65621 | 1 Snipeitapp | 1 Snipe-it | 2025-12-02 | N/A |
| Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | ||||
| CVE-2025-65407 | 1 Live555 | 1 Streaming Media | 2025-12-02 | 6.5 Medium |
| A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream. | ||||
| CVE-2025-66205 | 1 Frappe | 1 Frappe | 2025-12-02 | 7.1 High |
| Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | ||||
| CVE-2025-65622 | 1 Snipeitapp | 1 Snipe-it | 2025-12-02 | N/A |
| Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | ||||
| CVE-2025-55749 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2025-12-02 | N/A |
| XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0. | ||||
| CVE-2025-66303 | 1 Getgrav | 1 Grav | 2025-12-02 | 4.9 Medium |
| Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27. | ||||
| CVE-2025-65838 | 1 Sanluan | 1 Publiccms | 2025-12-02 | N/A |
| PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | ||||
| CVE-2025-13837 | 1 Python | 1 Cpython | 2025-12-02 | N/A |
| When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | ||||
| CVE-2025-66206 | 1 Frappe | 1 Frappe | 2025-12-02 | 6.8 Medium |
| Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2. | ||||
| CVE-2025-13653 | 1 Search-guard | 1 Search Guard | 2025-12-02 | 4.3 Medium |
| In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges. | ||||
| CVE-2025-11772 | 1 Synaptics | 1 Fingerprint Driver | 2025-12-02 | 6.6 Medium |
| A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | ||||
| CVE-2025-64690 | 1 Jetbrains | 1 Youtrack | 2025-12-02 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it relates to internal functionality that is not available to customers. | ||||
| CVE-2025-64689 | 1 Jetbrains | 1 Youtrack | 2025-12-02 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it relates to internal functionality that is not available to customers. | ||||