Total
87 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-30257 | 1 Technitium | 1 Dns Server | 2025-04-30 | 9.8 Critical |
| An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. | ||||
| CVE-2022-31089 | 1 Parseplatform | 1 Parse-server | 2025-04-23 | 7.5 High |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-41874 | 1 Tauri | 1 Tauri | 2025-04-23 | 2.6 Low |
| Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json. | ||||
| CVE-2024-55058 | 1 Phpgurukul | 1 Online Birth Certificate System | 2025-03-27 | 4.3 Medium |
| An insecure direct object reference (IDOR) vulnerability was discovered in PHPGurukul Online Birth Certificate System v1.0. This vulnerability resides in the viewid parameter of /user/view-application-detail.php. Authenticated users can exploit this flaw by manipulating the viewid parameter in the URL to access sensitive birth certificate details of other users without proper authorization checks. | ||||
| CVE-2021-37315 | 1 Asus | 2 Rt-ac68u, Rt-ac68u Firmware | 2025-03-26 | 9.1 Critical |
| Incorrect Access Control issue discoverd in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the source for COPY and MOVE operations. | ||||
| CVE-2025-29914 | 2025-03-20 | 5.4 Medium | ||
| OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Prior to 3.3.3, if a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php. This can lead to a rules bypass. This vulnerability is fixed in 3.3.3. | ||||
| CVE-2024-53739 | 1 Coolplugins | 1 Cryptocurrency Widgets For Elementor | 2025-03-19 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor allows PHP Local File Inclusion.This issue affects Cryptocurrency Widgets For Elementor: from n/a through 1.6.4. | ||||
| CVE-2022-29445 | 1 Wow-estore | 1 Popup Box | 2025-02-20 | 6.8 Medium |
| Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress. | ||||
| CVE-2022-29448 | 1 Wow-estore | 1 Herd Effects | 2025-02-20 | 6.8 Medium |
| Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress. | ||||
| CVE-2023-28628 | 1 Lambdaisland | 1 Uri | 2025-02-19 | 5.4 Medium |
| lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versions prior to 1.14.120 `authority-regex` allows an attacker to send malicious URLs to be parsed by the `lambdaisland/uri` and return the wrong authority. This issue is similar to but distinct from CVE-2020-8910. The regex in question doesn't handle the backslash (`\`) character in the username correctly, leading to a wrong output. ex. a payload of `https://example.com\\@google.com` would return that the host is `google.com`, but the correct host should be `example.com`. Given that the library returns the wrong authority this may be abused to bypass host restrictions depending on how the library is used in an application. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2021-24122 | 4 Apache, Debian, Oracle and 1 more | 6 Tomcat, Debian Linux, Agile Plm and 3 more | 2025-02-13 | 5.9 Medium |
| When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. | ||||
| CVE-2023-28643 | 1 Nextcloud | 1 Nextcloud Server | 2025-02-11 | 5.5 Medium |
| Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user. | ||||
| CVE-2024-57785 | 2025-02-04 | 4.9 Medium | ||
| Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php. | ||||
| CVE-2023-31814 | 1 Dlink | 2 Dir-300, Dir-300 Firmware | 2025-01-17 | 9.8 Critical |
| D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php. | ||||
| CVE-2023-34092 | 1 Vitejs | 1 Vite | 2025-01-08 | 7.5 High |
| Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected]. | ||||
| CVE-2024-27295 | 1 Monospace | 1 Directus | 2025-01-03 | 8.2 High |
| Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3. | ||||
| CVE-2023-27561 | 3 Debian, Linuxfoundation, Redhat | 5 Debian Linux, Runc, Enterprise Linux and 2 more | 2024-12-06 | 7 High |
| runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. | ||||
| CVE-2018-0237 | 1 Cisco | 1 Advanced Malware Protection For Endpoints | 2024-11-29 | 5.8 Medium |
| A vulnerability in the file type detection mechanism of the Cisco Advanced Malware Protection (AMP) for Endpoints macOS Connector could allow an unauthenticated, remote attacker to bypass malware detection. The vulnerability occurs because the software relies on only the file extension for detecting DMG files. An attacker could exploit this vulnerability by sending a DMG file with a nonstandard extension to a device that is running an affected AMP for Endpoints macOS Connector. An exploit could allow the attacker to bypass configured malware detection. Cisco Bug IDs: CSCve34034. | ||||
| CVE-2024-4887 | 1 Qodeinteractive | 1 Qi Addons For Elementor | 2024-11-21 | 7.5 High |
| The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit. | ||||
| CVE-2024-37150 | 1 Deno | 1 Deno | 2024-11-21 | 7.6 High |
| An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials. | ||||