Total
319666 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64128 | 1 Zenitel | 1 Tciv-3+ | 2025-11-27 | 10 Critical |
| An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands. | ||||
| CVE-2025-66265 | 2 Megatec, Microsoft | 2 Upsilon2000, Windows | 2025-11-27 | N/A |
| CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges. | ||||
| CVE-2025-65669 | 1 Classroomio | 1 Classroomio | 2025-11-27 | N/A |
| An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | ||||
| CVE-2025-30190 | 1 Open-xchange | 1 Ox App Suite | 2025-11-27 | 5.4 Medium |
| Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | ||||
| CVE-2025-2486 | 2 Canonical, Ubuntu | 3 Ubuntu, Edk2, Ubuntu | 2025-11-27 | N/A |
| The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733. | ||||
| CVE-2025-12584 | 3 Shapedplugin, Woocommerce, Wordpress | 3 Quick View, Woocommerce, Wordpress | 2025-11-27 | 5.3 Medium |
| The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to. | ||||
| CVE-2025-64129 | 1 Zenitel | 1 Tciv-3+ | 2025-11-27 | 7.6 High |
| Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device. | ||||
| CVE-2025-56396 | 1 Ruoyi | 1 Ruoyi | 2025-11-27 | N/A |
| An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | ||||
| CVE-2025-64130 | 1 Zenitel | 1 Tciv-3+ | 2025-11-27 | 9.8 Critical |
| Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser. | ||||
| CVE-2025-33204 | 1 Nvidia | 1 Nemo | 2025-11-27 | 7.8 High |
| NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-46174 | 1 Ruoyi | 1 Ruoyi | 2025-11-27 | N/A |
| Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | ||||
| CVE-2025-33196 | 1 Nvidia | 1 Dgx | 2025-11-27 | 4.4 Medium |
| NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | ||||
| CVE-2025-13378 | 2 Ays-pro, Wordpress | 2 Ai Chatbot With Chatgpt, Wordpress | 2025-11-27 | 6.5 Medium |
| The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-33198 | 1 Nvidia | 1 Dgx | 2025-11-27 | 3.3 Low |
| NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | ||||
| CVE-2025-13674 | 1 Wireshark | 1 Wireshark | 2025-11-27 | 5.5 Medium |
| BPv7 dissector crash in Wireshark 4.6.0 allows denial of service | ||||
| CVE-2025-66021 | 1 Owasp | 1 Java Html Sanitizer | 2025-11-27 | N/A |
| OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | ||||
| CVE-2025-9558 | 1 Zephyrproject-rtos | 1 Zephyr | 2025-11-27 | 7.6 High |
| There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. | ||||
| CVE-2025-66026 | 1 Redaxo | 1 Redaxo | 2025-11-27 | 6.1 Medium |
| REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | ||||
| CVE-2025-33199 | 1 Nvidia | 1 Dgx | 2025-11-27 | 3.2 Low |
| NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. A successful exploit of this vulnerability might lead to data tampering. | ||||
| CVE-2025-65960 | 1 Contao | 1 Contao | 2025-11-27 | 6.6 Medium |
| Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method. | ||||