Vulnerebility Vulnerebility Calendar Top 40 in years Top Vulnerebility List of Attack EVCatalog | 2025 2024
| DATE | NAME |
CATEGORY |
SUB | |
| 30.5.25 | CVE-2025-3935 | ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys. |
VULNEREBILITY |
|
| 29.5.25 | CVE-2025-47577 | Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2. |
VULNEREBILITY |
|
| 28.5.25 | CVE-2024-58136 | (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources (A regression of CVE-2024-4990) |
VULNEREBILITY |
|
| 28.5.25 | CVE-2025-32432 | (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) |
VULNEREBILITY |
|
| 28.5.25 | CVE-2025-32432 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2020-12641 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2020-35730 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2021-44026 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2023-38831 | Exploiting WinRAR vulnerability |
VULNEREBILITY |
|
| 25.5.25 | CVE-2023-23397 | Exploiting the Outlook NTLM vulnerability |
VULNEREBILITY |
|
| 25.5.25 | CVE-2025-47949 | samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue. |
VULNEREBILITY |
|
| 25.5.25 | CVE-2025-4322 | The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. |
VULNEREBILITY |
|
| 23.5.25 | CVE-2023-20118 | A vulnerability in the web-based management interface of Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. |
VULNEREBILITY |
|
| 23.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-0994 | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server. |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-4428 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. |
VULNEREBILITY |
|
| 22.5.25 | BadSuccessor | BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34027 | (CVSS score: 10.0) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads ("/portalapi/v1/package/spack/upload") via arbitrary file writes |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34026 | (CVSS score: 9.2) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via |
VULNEREBILITY |
|
| 22.5.25 | CVE-2025-34025 | (CVSS score: 8.6) - A privilege escalation and Docker container escape vulnerability that's caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine |
VULNEREBILITY |
|
| 20.5.25 | CVE-2025-4918 | An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object |
VULNEREBILITY |
|
| 20.5.25 | CVE-2025-4919 | An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes |
VULNEREBILITY |
|
| 18.5.25 | CVE-2025-4664 | Google Chromium Loader Insufficient Policy Enforcement Vulnerability |
VULNEREBILITY |
|
| 18.5.25 | CVE-2024-12987 | DrayTek Vigor Routers OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-42999 | Insecure Deserialization in SAP NetWeaver (Visual Composer development server) |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-32756 | Stack-based buffer overflow vulnerability in API |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-22462 | An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-3462 | "This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints." An insufficient validation in ASUS DriverHub may allow unauthorized sources to interact with the software's features via crafted HTTP requests. |
VULNEREBILITY |
|
| 17.5.25 | CVE-2025-3463 | vulnerability in ASUS DriverHub may allow untrusted sources to affect system behavior via crafted HTTP requests |
VULNEREBILITY |
|
| 16.5.25 | CVE-2024-43420 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel Atom® processors may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2025-20623 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel® Core™ processors (10th Generation) may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2024-45332 | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2024-28956 | (CVSS v4 score: 5.7) - Indirect Target Selection (ITS), which affects Intel Core 9th-11th, and Intel Xeon 2nd-3rd, among others. |
VULNEREBILITY |
|
| 16.5.25 | CVE-2025-24495 | (CVSS v4 score: 6.8) - Lion Cove BPU issue, which affects Intel CPUs with Lion Cove core |
VULNEREBILITY |
|
| 15.5.25 | CVE-2025-4664 | Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
|
| 15.5.25 | CVE-2025-4632 | Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority. |
VULNEREBILITY |
|
| 15.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-30397 | (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-30400 | (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32701 | (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32706 | (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32709 | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-32756 | A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10, FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5, FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-4428 | (CVSS score: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-4427 | (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials |
VULNEREBILITY |
|
| 14.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 13.5.25 | CVE-2025-27920 | Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access. |
VULNEREBILITY |
|
| 13.5.25 | CVE-2025-3462 | (CVSS score: 8.4) - An origin validation error vulnerability that may allow unauthorized sources to interact with the software's features via crafted HTTP requests |
VULNEREBILITY |
|
| 13.5.25 | CVE-2025-3463 | (CVSS score: 9.4) - An improper certificate validation vulnerability that may allow untrusted sources to affect system behavior via crafted HTTP requests |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-27007 | Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 12.5.25 | CVE-2019-3568 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-26647 | Windows Kerberos Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2024-7399 | Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority. |
VULNEREBILITY |
|
| 12.5.25 | CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
VULNEREBILITY |
|
| 9.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-27363 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-32819 | (CVSS score: 8.8) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-32820 | (CVSS score: 8.3) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable |
VULNEREBILITY |
|
| 8.5.25 | CVE-2025-32821 | (CVSS score: 6.7) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-29824 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-3102 | The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-27007 | Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2777 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2776 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2025-2775 | SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2019-3568 | A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2024-11120 | Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports. |
VULNEREBILITY |
|
| 7.5.25 | CVE-2024-6047 | Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-27363 | An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-3248 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-34028 | Commvault Command Center Path Traversal Vulnerability |
VULNEREBILITY |
|
| 6.5.25 | CVE-2024-58136 | Yiiframework Yii Improper Protection of Alternate Path Vulnerability |
VULNEREBILITY |
|
| 6.5.25 | CVE-2025-23242 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, or information disclosure. |
VULNEREBILITY |
|
| 4.5.25 | CVE-2025-23243 | NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to data tampering or denial of service. |
VULNEREBILITY |
|
| 4.5.25 | CVE-2025-31191 | Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape |
VULNEREBILITY |
|
|
4.5.25 |
Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. |
VULNEREBILITY |
||
|
4.5.25 |
Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6. |
VULNEREBILITY |
||
| 4.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 3.5.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. |
VULNEREBILITY |
|
| 1.5.25 | CVE-2025-3928 | Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells. |
VULNEREBILITY |
|
| 1.5.25 | CVE-2023-44221 | (CVSS score: 7.2) - Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 1.5.25 | CVE-2024-38475 | (CVSS score: 9.8) - Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server |
VULNEREBILITY |
|
| 29.4.25 | CVE-2025-3928 | (CVSS score: 8.7) - An unspecified flaw in the Commvault Web Server that allows a remote, authenticated attacker to create and execute web shells |
VULNEREBILITY |
|
| 29.4.25 | CVE-2025-1976 | (CVSS score: 8.6) - A code injection flaw affecting Broadcom Brocade Fabric OS that allows a local user with administrative privileges to execute arbitrary code with full root privileges |
VULNEREBILITY |
|
| 29.4.25 | CVE-2025-32432 | (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) |
VULNEREBILITY |
|
| 29.4.25 | CVE-2024-58136 | (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources |
VULNEREBILITY |
|
| 27.4.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 27.4.25 | CVE-2025-32432 | A remote code execution (RCE) vulnerability in Craft CMS. |
VULNEREBILITY |
|
| 27.4.25 | CVE-2024-58136 | An input validation flaw in the Yii framework used by Craft CMS. |
VULNEREBILITY |
|
| 26.4.25 | CVE-2024-54084 | APTIOV contains a vulnerability in BIOS where an attacker may cause a Time-of-check Time-of-use (TOCTOU) Race Condition by local means. Successful exploitation of this vulnerability may lead to arbitrary code execution. |
VULNEREBILITY |
|
| 26.4.25 | CVE-2024-54085 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-42599 | Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2017-9844 | SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-27610 | (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-27111 | (CVSS score: 6.9) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-25184 | (CVSS score: 5.7) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and inject malicious data |
VULNEREBILITY |
|
| 25.4.25 | CVE-2025-0282 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
VULNEREBILITY |
|
| 24.4.25 | CVE-2025-34028 | A critical security vulnerability has been identified in the Command Center installation, allowing remote attackers to execute arbitrary code without authentication. |
VULNEREBILITY |
|
|
21.4.25 |
CVE-2021-20035 | Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS. |
VULNEREBILITY |
|
| 21.4.25 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
|
|
21.4.25 |
CVE-2025-20150 | Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability |
VULNEREBILITY |
|
| 21.4.25 | CVE-2025-20178 | Cisco Secure Network Analytics Privilege Escalation Vulnerability |
VULNEREBILITY |
|
| 19.4.25 | CVE-2025-2492 | An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
| 18.4.25 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-32433 | Unauthenticated Remote Code Execution in Erlang/OTP SSH |
VULNEREBILITY |
|
| 17.4.25 | CVE-2021-20035 | SonicWall SMA100 Appliances OS Command Injection Vulnerability |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24201 | (CVSS score: 7.1) - An out-of-bounds write issue in the WebKit component that could be exploited to break out of the Web Content sandbox using maliciously crafted web content |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24200 | (CVSS score: 4.6) - An authorization issue in the Accessibility component that could enable an attacker to disable USB Restricted Mode on a locked device as part of a cyber-physical attack |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-24085 | (CVSS score: 7.8) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-31201 | (CVSS score: 6.8) - A vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication |
VULNEREBILITY |
|
| 17.4.25 | CVE-2025-31200 | (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file |
VULNEREBILITY |
|
| 17.4.25 | New Vulnerabilities for schtasks.exe | Task Scheduler– New Vulnerabilities for schtasks.exe |
VULNEREBILITY |
|
| 16.4.25 | CVE-2025-24859 | A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. |
VULNEREBILITY |
|
| 15.4.25 | CVE-2025-30406 | Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. |
VULNEREBILITY |
|
| 12.4.25 | CVE-2025-30401 | A spoofing issue in WhatsApp for Windows prior to version 2.2550.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. |
VULNEREBILITY |
|
| 12.4.25 | CVE-2024-21762 | A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests |
VULNEREBILITY |
|
| 12.4.25 | CVE-2023-27997 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. |
VULNEREBILITY |
|
| 12.4.25 | CVE-2022-42475 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. |
VULNEREBILITY |
|
| 11.4.25 | CVE-2025-3102 | The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. |
VULNEREBILITY |
|
| 10.4.25 | CVE-2024-0132 | NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27491 | Windows Hyper-V Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27752 | Microsoft Excel Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27745 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27748 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27749 | Microsoft Office Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29791 | Microsoft Excel Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26670 | Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-26663 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27482 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-27480 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29809 | Windows Kerberos Security Feature Bypass Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-30406 | Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability |
VULNEREBILITY |
|
| 9.4.25 | CVE-2025-29824 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 9.4.25 | CVE-2024-48887 | Unverified password change via set_password endpoint |
VULNEREBILITY |
|
| 9.4.25 | AWS SSM Agent's Plugin ID Validation | Path Traversal Vulnerability in AWS SSM Agent's Plugin ID Validation |
VULNEREBILITY |
|
| 8.4.25 | CVE-2025-31161 | CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." |
VULNEREBILITY |
|
| 8.4.25 | CVE-2024-53150 | (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure |
VULNEREBILITY |
|
| 8.4.25 | CVE-2024-53197 | (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel |
VULNEREBILITY |
|
|
6.4.25 |
Issue that bypasses the "Mark of the Web" security warning function for files when opening a symbolic link that points to an executable file exists in WinRAR versions prior to 7.11. If a symbolic link specially crafted by an attacker is opened on the affected product, arbitrary code may be executed. |
VULNEREBILITY |
||
|
6.4.25 |
(CVSS score: 7.8) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability |
VULNEREBILITY |
||
|
6.4.25 |
(CVSS score: 6.5) - Microsoft Windows File Explorer Spoofing Vulnerability |
VULNEREBILITY |
||
| 5.4.25 | GRUB2 vulnerabilities | [SECURITY PATCH 00/73] GRUB2 vulnerabilities - 2025/02/18 |
VULNEREBILITY |
|
| 4.4.25 | CVE-2025-22457 | April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457) |
VULNEREBILITY |
|
| 4.4.25 | CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. |
VULNEREBILITY |
|
| 3.4.25 | CVE-2024-10668 | There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. The root cause of the vulnerability lies in the fact that when a Payload Transfer frame of type FILE is sent to Quick Share, the file that is contained in this frame is written to disk in the Downloads folder. |
VULNEREBILITY |
|
| 3.4.25 | ImageRunner | ImageRunner: A Privilege Escalation Vulnerability Impacting GCP Cloud Run |
VULNEREBILITY |
|
|
1.4.25 |
(CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate privileges |
VULNEREBILITY |
||
|
1.4.25 |
(CVSS score: 4.6) - An authorization issue in the Accessibility component that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack |
VULNEREBILITY |
||
|
1.4.25 |
(CVSS score: 8.8) - An out-of-bounds write issue in the WebKit component that could allow an attacker to craft malicious web content such that it can break out of the Web Content sandbox |
VULNEREBILITY |
||
|
31.3.25 |
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. |
VULNEREBILITY |
||
|
29.3.25 |
CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access. |
VULNEREBILITY |
||
|
29.3.25 |
NTLM Hash Disclosure Spoofing Vulnerability |
VULNEREBILITY |
||
|
29.3.25 |
Windows Themes Spoofing Vulnerability |
VULNEREBILITY |
||
|
28.3.25 |
CVE-2025-2783 | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) |
VULNEREBILITY |
|
|
28.3.25 |
CVE-2025-2857 | Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2020-8515 | (CVSS score: 9.8) — An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2021-20123 | (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2021-20124 | (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2019-9874 | (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2019-9875 | (CVSS score: 8.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN |
VULNEREBILITY |
|
|
27.3.25 |
CVE-2025-26512 | CVE-2025-26512 Privilege Escalation Vulnerability in SnapCenter |
VULNEREBILITY |
|
|
26.3.25 |
CVE-2025-2663 | Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data. |
VULNEREBILITY |
|
|
26.3.25 |
CVE-2025-26633 | Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally. |
VULNEREBILITY |
|
|
26.3.25 |
CVE-2025-2783 | The Stable channel has been updated to 134.0.6998.177/.178 for Windows which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. |
VULNEREBILITY |
|
|
26.3.25 |
CVE-2025-22230 | VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM. |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-24513 | (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-24514 | (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1097 | (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1098 | (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller |
VULNEREBILITY |
|
|
25.3.25 |
CVE-2025-1974 | (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions |
VULNEREBILITY |
|
|
24.3.25 |
CVE-2025-29927 | Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-48248 | NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because PhysicalDiscovery has cleartext credentials). |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-20439 | Cisco Smart Licensing Utility Static Credential Vulnerability |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2024-20440 | Cisco Smart Licensing Utility Information Disclosure Vulnerability |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2025-30154 | reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs |
VULNEREBILITY |
|
|
23.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-20439 | (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-20440 | (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-56347 | (CVSS score: 9.6) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimsh service SSL/TLS protection mechanism |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2024-56346 | (CVSS score: 10.0) - An improper access control vulnerability that could permit a remote attacker to execute arbitrary commands via the AIX nimesis NIM master service |
VULNEREBILITY |
|
|
21.3.25 |
CVE-2025-23120 | A vulnerability allowing remote code execution (RCE) by authenticated domain users. |
VULNEREBILITY |
|
|
20.3.25 |
CVE-2025-1316 | (CVSS score: 9.3) - Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests (Unpatched due to the device reaching end-of-life) |
VULNEREBILITY |
|
|
20.3.25 |
CVE-2017-12637 | (CVSS score: 7.5) - SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string |
VULNEREBILITY |
|
|
20.3.25 |
CVE-2024-4577 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2025-20061 | An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing an email parameter |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2025-20014 | An operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing a version parameter |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
19.3.25 |
CVE-2024-54085 | AMI’s SPx contains a vulnerability in the BMC where an Attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability. |
VULNEREBILITY |
|
|
18.3.25 |
CVE-2025-24813 | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. |
VULNEREBILITY |
|
|
17.3.25 |
CVE-2025-1316 | Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device |
VULNEREBILITY |
|
|
17.3.25 |
CVE-2025-30066 | tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) |
VULNEREBILITY |
|
|
16.3.25 |
CVE-2025-20115 | A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. |
VULNEREBILITY |
|
|
16.3.25 |
CVE-2025-21590 | An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. |
VULNEREBILITY |
|
| 13.3.25 | CVE-2025-25292 | Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) |
VULNEREBILITY |
|
| 13.3.25 | CVE-2025-25291 | Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential) |
VULNEREBILITY |
|
| 13.3.25 | CVE-2025-27363 | n out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. |
VULNEREBILITY |
|
| 12.3.25 | CVE-2017-0929 | (CVSS score: 7.5) - DotNetNuke |
VULNEREBILITY |
|
| 12.3.25 | CVE-2020-7796 | (CVSS score: 9.8) - Zimbra Collaboration Suite |
VULNEREBILITY |
|
| 12.3.25 | CVE-2021-21973 | (CVSS score: 5.3) - VMware vCenter |
VULNEREBILITY |
|
| 12.3.25 | CVE-2021-22054 | (CVSS score: 7.5) - VMware Workspace ONE UEM |
VULNEREBILITY |
|
| 12.3.25 | CVE-2021-22175 | (CVSS score: 9.8) - GitLab CE/EE |
VULNEREBILITY |
|
| 12.3.25 | CVE-2021-22214 | CVSS score: 8.6) - GitLab CE/EE |
VULNEREBILITY |
|
| 12.3.25 | CVE-2021-39935 | (CVSS score: 7.5) - GitLab CE/EE |
VULNEREBILITY |
|
| 12.3.25 | CVE-2023-5830 | (CVSS score: 9.8) - ColumbiaSoft DocumentLocator |
VULNEREBILITY |
|
| 12.3.25 | CVE-2024-6587 | (CVSS score: 7.5) - BerriAI LiteLLM |
VULNEREBILITY |
|
| 12.3.25 | CVE-2024-21893 | (CVSS score: 8.2) - Ivanti Connect Secure |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-24983 | (CVSS score: 7.0) - A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-24984 | (CVSS score: 4.6) - A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-24985 |
(CVSS score: 7.8) - An integer overflow vulnerability in Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-24991 | (CVSS score: 5.5) - An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-24993 | (CVSS score: 7.8) - A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 12.3.25 | CVE-2025-26633 | (CVSS score: 7.0) - An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally |
VULNEREBILITY |
|
| 12.3.25 | Apple security releases | This document lists security updates and Rapid Security Responses for Apple software. | VULNEREBILITY | Update |
| 11.3.25 | CVE-2024-57968 | An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx |
VULNEREBILITY |
|
| 11.3.25 | CVE-2025-25181 | An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands |
VULNEREBILITY |
|
| 11.3.25 | CVE-2024-13159 | An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
|
| 11.3.25 | CVE-2024-13160 | An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
|
| 11.3.25 | CVE-2024-13161 | An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information |
VULNEREBILITY |
|
| 11.3.25 | CVE-2024-12297 | Moxa’s Ethernet switch is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Although both client-side and back-end server verification are involved in the process, attackers can exploit weaknesses in its implementation. |
VULNEREBILITY |
|
| 9.3.25 | CVE-2025-27840 | Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory). |
VULNEREBILITY |
|
| 9.3.25 | CVE-2025-1316 | Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device |
VULNEREBILITY |
|
| 7.3.25 | CVE-2024-4577 | In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions |
VULNEREBILITY |
|
| 7.3.25 | CVE-2025-25012 | Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role |
VULNEREBILITY |
|
| 5.3.25 | CVE-2025-22224 | (CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine's VMX process running on the host |
VULNEREBILITY |
|
| 5.3.25 | CVE-2025-22225 | (CVSS score: 8.2) - An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape |
VULNEREBILITY |
|
| 5.3.25 | CVE-2025-22226 | (CVSS score: 7.1) - An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process |
VULNEREBILITY |
|
| 4.3.25 | CVE-2023-20118 | (CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) |
VULNEREBILITY |
|
| 4.3.25 | CVE-2022-43939 | (CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) |
VULNEREBILITY |
|
| 4.3.25 | CVE-2022-43769 | (CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
VULNEREBILITY |
|
| 4.3.25 | CVE-2018-8639 | (CVSS score: 7.8) - An improper resource shutdown or release vulnerability in Microsoft Windows Win32k that allows for local, authenticated privilege escalation, and running arbitrary code in kernel mode (Fixed in December 2018) |
VULNEREBILITY |
|
| 4.3.25 | CVE-2024-4885 | (CVSS score: 9.8) - A path traversal vulnerability in Progress WhatsUp Gold that allows an unauthenticated attacker to achieve remote code execution (Fixed in version 2023.1.3 in June 2024) |
VULNEREBILITY |
|
| 4.3.25 | CVE-2024-43093 | A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2024-50302 | A privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2025-0285 | An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2025-0286 | An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. This flaw can allow attackers to execute arbitrary code on the victim's machine. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2025-0287 | A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. This allows an attacker to execute arbitrary kernel code, enabling privilege escalation. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2025-0288 |
An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. This allows an attacker to write arbitrary kernel memory and achieve privilege escalation. |
VULNEREBILITY |
|
| 4.3.25 | CVE-2025-0289 | An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. This allows attackers to compromise the affected service. |
VULNEREBILITY |
|
| 1.3.25 | CVE-2024-53197 | (CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices |
VULNEREBILITY |
|
| 1.3.25 | CVE-2024-50302 | (CVSS score: 5.5) - A use of an uninitialized resource vulnerability that could be used to leak kernel memory |
VULNEREBILITY |
|
| 26.2.25 | CVE-2023-34192 | (CVSS score: 9.0) - A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40) |
VULNEREBILITY |
|
| 26.2.25 | CVE-2024-49035 | (CVSS score: 8.7) - An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024) |
VULNEREBILITY |
|
| 22.2.25 | CVE-2025-26465 | (CVSS score: 6.8) - The OpenSSH client contains a logic error between versions 6.8p1 to 9.9p1 (inclusive) that makes it vulnerable to an active MitM attack if the VerifyHostKeyDNS option is enabled, allowing a malicious interloper to impersonate a legitimate server when a client attempts to connect to it (Introduced in December 2014) | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2025-26465 | (CVSS score: 5.9) - The OpenSSH client and server are vulnerable to a pre-authentication DoS attack between versions 9.5p1 to 9.9p1 (inclusive) that causes memory and CPU consumption (Introduced in August 2023) | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2025-0108 | (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface that allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2024-53704 | (CVSS score: 8.2) - An improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2018-0171 | A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2024-24919 | Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. | VULNEREBILITY | VULNEREBILITY |
| 22.2.25 | CVE-2025-23209 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | CVE-2024-12284 | Authenticated privilege escalation in NetScaler Console and NetScaler Agent allows. | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | CVE-2025-21355 | (CVSS score: 8.6) - Microsoft Bing Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.2.25 | CVE-2025-24989 | (CVSS score: 8.2) - Microsoft Power Pages Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | CVE-2025-21589 | CVE-2025-21589 | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | CVE-2024-12510 | (CVSS score: 6.7) - Pass-back attack via LDAP | VULNEREBILITY | VULNEREBILITY |
| 18.2.25 | CVE-2024-12511 | (CVSS score: 7.6) - Pass-back attack via user's address book | VULNEREBILITY | VULNEREBILITY |
| 15.2.25 | CVE-2025-1094 | Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. | VULNEREBILITY | VULNEREBILITY |
| 15.2.25 | CVE-2025-0108 | CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-23359 | NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-21391 | (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-21418 | (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-38657 | (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-22467 | (CVSS score: 9.9) - A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-10644 | (CVSS score: 9.1) - Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-47908 | (CVSS score: 9.1) - Operating system command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56131 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56132 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56133 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56135 | (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-56134 | (CVSS score: 8.4) - An improper input validation vulnerability that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to download the content of any file on the system via a carefully crafted HTTP request | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-24200 | An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-25064 | SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2024-57968 | (CVSS score: 9.9) - An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated users to upload files to unintended folders (Fixed in VeraCore version 2024.4.2.1) | VULNEREBILITY | VULNEREBILITY |
| 10.2.25 | CVE-2025-25181 | (CVSS score: 5.8) - An SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (No patch available) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | Trimble Cityworks | Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server. | VULNEREBILITY | ICS |
| 5.2.25 | CVE-2025-20124 | (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-20125 | (CVSS score: 9.1) - An authorization bypass vulnerability in an API of Cisco ISE could could permit an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-23114 | A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0411 | 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-45195 | (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-29059 | (CVSS score: 7.5) - An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2018-9276 | (CVSS score: 7.2) - An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2018-19410 | (CVSS score: 9.8) - A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018) | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-56161 | Loss of the SEV-based protection of a confidential guest. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-21396 | (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-21415 | (CVSS score: 9.9) - Azure AI Face Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-53104 | (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0626 | Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-12248 | (CVSS v4 score: 9.3) - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0683 | (CVSS v4 score: 8.2) - A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0626 | Contec Health CMS8000 Patient Monitor sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so. This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device. | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2024-12248 | (CVSS v4 score: 9.3) - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution | VULNEREBILITY | VULNEREBILITY |
| 5.2.25 | CVE-2025-0683 | (CVSS v4 score: 8.2) - A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2024-50050 | Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket communication has been changed to use JSON instead. | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2025-22218 | (CVSS score: 8.5) - A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2025-22219 | (CVSS score: 6.8) - A malicious actor with non-administrative privileges may be able to inject a malicious script that may lead to arbitrary operations as admin user via a stored cross-site scripting (XSS) attack | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2025-22220 | (CVSS score: 4.3) - A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2025-22221 | (CVSS score: 5.2) - A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configuration | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2025-22222 | (CVSS score: 7.7) - A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | Noma Research discovers RCE vulnerability in AI | Noma Research discovers RCE vulnerability in AI-development platform, Lightning AI | VULNEREBILITY | AI |
| 28.1.25 | CVE-2024-55417 | An arbitrary file write vulnerability in the "/admin/media/upload" endpoint | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2024-55416 | A reflected cross-site scripting (XSS) vulnerability in the "/admin/compass" endpoint | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2024-55415 | An arbitrary file leak and deletion vulnerability | VULNEREBILITY | VULNEREBILITY |
| 28.1.25 | CVE-2024-41710 | (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone. | VULNEREBILITY | VULNEREBILITY |
| 27.1.25 | CVE-2025-23040 | (CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop | VULNEREBILITY | VULNEREBILITY |
| 27.1.25 | CVE-2024-50338 | (CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager | VULNEREBILITY | VULNEREBILITY |
| 27.1.25 | CVE-2024-53263 | (CVSS score: 8.5) - Git LFS permits retrieval of credentials via crafted HTTP URLs | VULNEREBILITY | VULNEREBILITY |
| 27.1.25 | CVE-2024-53858 | (CVSS score: 6.5) - Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2025-22604 | Cacti is an open source performance and fault management framework. Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2024-40891 | Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891) | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2024-40890 | (CVSS score: 8.8) - A post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2024-40891 | (CVSS score: 8.8) - A post-authentication command injection vulnerability in the management commands component that could allow an authenticated attacker to execute OS commands on an affected device via Telnet | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2025-0890 | (CVSS score: 9.8) - The use of insecure default credentials for the Telnet function that could allow an attacker to log in to the management interface | VULNEREBILITY | VULNEREBILITY |
| 25.1.25 | CVE-2025-24085 | A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2. | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2024-7344 | Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344 | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | NTLMv1 | If you think you blocked NTLMv1 in your org, think again | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | SAP Security Patch Day – January 2025 | This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | Rsync contains six vulnerabilities | Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21311 | (CVSS score: 9.8) - Windows NTLM V1 Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21307 | (CVSS score: 9.8) - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21298 | (CVSS score: 9.8) - Windows Object Linking and Embedding (OLE) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21295 | (CVSS score: 8.1) - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21294 | (CVSS score: 8.1) - Microsoft Digest Authentication Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21308 | Windows Themes Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21275 | Windows App Package Installer Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21395 | Microsoft Access Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21366 | Microsoft Access Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2025-21186 | Microsoft Access Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2024-57726 | A privilege escalation vulnerability that allows an attacker who gains access as a low-privilege technician to elevate their privileges to an admin by taking advantage of missing backend authorization checks | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2024-57728 | An arbitrary file upload vulnerability that allows an attacker with SimpleHelpAdmin privileges (or as a technician with admin privileges) to upload arbitrary files anywhere on the SimpleServer host, potentially leading to remote code execution | VULNEREBILITY | VULNEREBILITY |
|
16.1.25 | CVE-2024-57727 | An unauthenticated path traversal vulnerability that allows an attacker to download arbitrary files from the SimpleHelp server, including the serverconfig.xml file that contains hashed passwords for the SimpleHelpAdmin account and other local technician accounts | VULNEREBILITY | VULNEREBILITY |
|
14.1.25 | Millions of Accounts Vulnerable due to Google’s OAuth Flaw | Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable. | VULNEREBILITY | VULNEREBILITY |
|
14.1.25 | CVE-2024-55591 | An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. | VULNEREBILITY | VULNEREBILITY |
|
14.1.25 | CVE-2024-44243 | A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.2. An app may be able to modify protected parts of the file system. | VULNEREBILITY | VULNEREBILITY |
|
14.1.25 | CVE-2024-12686 | A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user. | VULNEREBILITY | VULNEREBILITY |
|
14.1.25 | CVE-2024-50603 | An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | (CVSS score: 2.3) - An operating system (OS) command injection vulnerability that enables an authenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software | VULNEREBILITY | VULNEREBILITY | |
|
10.1.25 | (CVSS score: 2.7) - A wildcard expansion vulnerability that allows an unauthenticated attacker to enumerate files on the host file system | VULNEREBILITY | VULNEREBILITY | |
|
10.1.25 | (CVSS score: 2.7) - An arbitrary file deletion vulnerability that enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host file system | VULNEREBILITY | VULNEREBILITY | |
|
10.1.25 | (CVSS score: 4.7) - A reflected cross-site scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript code in the context of an authenticated user's browser if that authenticated user clicks a malicious link that allows phishing attacks and could lead to browser-session theft | VULNEREBILITY | VULNEREBILITY | |
|
10.1.25 | CVE-2025-0103 | (CVSS score: 7.8) - An SQL injection vulnerability that enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys, as well as create and read arbitrary files | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2024-49415 | Out-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2024-52875 | refers to a carriage return line feed (CRLF) injection attack, paving the way for HTTP response splitting, which could then lead to a cross-site scripting (XSS) flaw. | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2025-0283 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2025-0282 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | DNA Sequencer's Vulnerable BIOS | Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2024-41713 | (CVSS score: 9.1) - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2024-55550 | (CVSS score: 4.4) - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization | VULNEREBILITY | VULNEREBILITY |
|
10.1.25 | CVE-2020-2883 | (CVSS score: 9.8) - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3 | VULNEREBILITY | VULNEREBILITY |
|
2.1.25 | Microsoft 365 Vulnerability | Discovery to Resolution: A Critical Microsoft 365 Vulnerability | VULNEREBILITY | VULNEREBILITY |