Total
341 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-34715 | 1 Ethyca | 1 Fides | 2025-09-27 | 2.3 Low |
| Fides is an open-source privacy engineering platform. The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the webserver for this database connection includes special characters such as `@` and `$`, webserver startup fails and the part of the password following the special character is exposed in webserver error logs. This is caused by improper escaping of the SQLAlchemy password string. As a result users are subject to a partial exposure of hosted database password in webserver logs. The vulnerability has been patched in Fides version `2.37.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-48062 | 1 Discourse | 1 Discourse | 2025-09-26 | 7.1 High |
| Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`. | ||||
| CVE-2025-48007 | 1 Hallowelt | 1 Bluespice | 2025-09-22 | 6.4 Medium |
| Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1. | ||||
| CVE-2025-46703 | 1 Hallowelt | 1 Bluespice | 2025-09-22 | 6.4 Medium |
| Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1. | ||||
| CVE-2025-57880 | 1 Hallowelt | 1 Bluespice | 2025-09-22 | 5.4 Medium |
| Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1. | ||||
| CVE-2025-24025 | 1 Coollabs | 1 Coolify | 2025-09-19 | 6.1 Medium |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads to cross-site scripting. Version 4.0.0-beta.380 fixes the issue. | ||||
| CVE-2025-56266 | 1 Avigilon | 1 Access Control Manager | 2025-09-12 | 9.8 Critical |
| A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL. | ||||
| CVE-2025-55730 | 1 Xwikisas | 1 Xwiki-pro-macros | 2025-09-11 | 10 Critical |
| XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the title in the confluence paste code macro allows remote code execution for any user who can edit any page. The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue. | ||||
| CVE-2025-55729 | 1 Xwikisas | 1 Xwiki-pro-macros | 2025-09-11 | 10 Critical |
| XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue. | ||||
| CVE-2025-23207 | 2 Katex, Redhat | 2 Katex, Openshift Devspaces | 2025-09-08 | 6.3 Medium |
| KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX. | ||||
| CVE-2025-46340 | 1 Misskey | 1 Misskey | 2025-09-03 | 7.2 High |
| Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue. | ||||
| CVE-2025-0083 | 1 Google | 1 Android | 2025-09-02 | 4 Medium |
| In multiple locations, there is a possible way to access content across user profiles due to URI double encoding. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-28245 | 1 Katex | 1 Katex | 2025-09-02 | 6.3 Medium |
| KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX v0.16.10 to remove this vulnerability. | ||||
| CVE-2024-9427 | 2025-08-30 | 5.4 Medium | ||
| A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code | ||||
| CVE-2025-25029 | 1 Ibm | 1 Security Guardium | 2025-08-28 | 4.9 Medium |
| IBM Security Guardium 12.0 could allow a privileged user to download any file on the system due to improper escaping of input. | ||||
| CVE-2025-24338 | 2025-08-27 | 7.1 High | ||
| A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to execute arbitrary client-side code in the context of another user's browser via multiple crafted HTTP requests. | ||||
| CVE-2023-35894 | 1 Ibm | 2 Control Center, Sterling Control Center | 2025-08-17 | 5.4 Medium |
| IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | ||||
| CVE-2024-49355 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-08-15 | 5.3 Medium |
| IBM OpenPages with Watson 8.3 and 9.0 may write improperly neutralized data to server log files when the tracing is enabled per the System Tracing feature. | ||||
| CVE-2024-58266 | 1 Comex | 1 Shlex | 2025-08-07 | 3.2 Low |
| The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection. | ||||
| CVE-2024-52891 | 1 Ibm | 1 Concert | 2025-07-18 | 5.4 Medium |
| IBM Concert Software 1.0.0, 1.0.1, 1.0.2, 1.0.2.1, and 1.0.3 could allow an authenticated user to inject malicious information or obtain information from log files due to improper log neutralization. | ||||