Total
205 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-38049 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2025-10-14 | 6.6 Medium |
| Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability | ||||
| CVE-2025-3241 | 1 Zhangyanbo2007 | 1 Youkefu | 2025-10-10 | 6.3 Medium |
| A vulnerability, which was classified as problematic, was found in zhangyanbo2007 youkefu up to 4.2.0. This affects an unknown part of the file src/main/java/com/ukefu/webim/web/handler/admin/callcenter/CallCenterRouterController.java of the component XML Document Handler. The manipulation of the argument routercontent leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10091 | 1 Jinher | 1 Jinher Oa | 2025-10-09 | 7.3 High |
| A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-10092 | 1 Jinher | 1 Jinher Oa | 2025-10-09 | 7.3 High |
| A vulnerability was found in Jinher OA up to 1.2. This impacts an unknown function of the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add of the component XML Handler. The manipulation results in xml external entity reference. The attack can be executed remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-11035 | 1 Jinher | 1 Jinher Oa | 2025-10-08 | 6.3 Medium |
| A vulnerability was determined in Jinher OA 2.0. The impacted element is an unknown function of the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl&style=1. This manipulation causes xml external entity reference. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-11341 | 1 Jinher | 1 Jinher Oa | 2025-10-08 | 7.3 High |
| A security flaw has been discovered in Jinher OA up to 2.0. This affects an unknown function of the file /c6/Jhsoft.Web.module/eformaspx/WebDesign.aspx/?type=SystemUserInfo&style=1. Performing manipulation results in xml external entity reference. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-11140 | 2 Bjskzy, Zhiyou-group | 2 Zhiyou Erp, Zhiyou Erp | 2025-10-03 | 7.3 High |
| A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10816 | 1 Jinher | 1 Jinher Oa | 2025-10-03 | 7.3 High |
| A security flaw has been discovered in Jinher OA 2.0. This affects an unknown part of the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add of the component XML Handler. Performing manipulation results in xml external entity reference. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-8057 | 1 Patika Global Technologies | 1 Humansuite | 2025-09-17 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key, Externally Controlled Reference to a Resource in Another Sphere, Improper Authorization vulnerability in Patika Global Technologies HumanSuite allows Exploiting Trust in Client.This issue affects HumanSuite: before 53.21.0. | ||||
| CVE-2025-26684 | 1 Microsoft | 1 Defender For Endpoint | 2025-09-10 | 6.7 Medium |
| External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-9065 | 1 Rockwellautomation | 1 Thinmanager | 2025-09-09 | N/A |
| A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash. | ||||
| CVE-2024-49722 | 1 Google | 1 Android | 2025-09-04 | 5.5 Medium |
| In showAvatarPicker of EditUserPhotoController.java, there is a possible cross user image leak due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-49728 | 1 Google | 1 Android | 2025-09-04 | 5.5 Medium |
| In generateFileInfo of BluetoothOppSendFileInfo.java, there is a possible cross user media disclosure due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-0082 | 1 Google | 1 Android | 2025-09-02 | 5.5 Medium |
| In multiple functions of StatusHint.java and TelecomServiceImpl.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-26417 | 1 Google | 1 Android | 2025-09-02 | 4 Medium |
| In checkWhetherCallingAppHasAccess of DownloadProvider.java, there is a possible bypass of user consent when opening files in shared storage due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48963 | 1 Acronis | 1 Cyber Protect Cloud Agent | 2025-09-01 | N/A |
| Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40296. | ||||
| CVE-2025-1225 | 1 R1bbit | 1 Yimioa | 2025-08-26 | 6.3 Medium |
| A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2024-47773 | 1 Discourse | 1 Discourse | 2025-08-26 | 8.2 High |
| Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | ||||
| CVE-2025-7824 | 1 Jinher | 1 Jinher Oa | 2025-08-26 | 7.3 High |
| A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-7823 | 1 Jinher | 1 Jinher Oa | 2025-08-26 | 7.3 High |
| A vulnerability was found in Jinher OA 1.2. It has been declared as problematic. This vulnerability affects unknown code of the file ProjectScheduleDelete.aspx. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||