Total
12270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27731 | 2025-05-06 | 7.8 High | ||
| Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-27489 | 2025-05-06 | 7.8 High | ||
| Improper input validation in Azure Local allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-26647 | 2025-05-06 | 8.8 High | ||
| Improper input validation in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2025-24058 | 2025-05-06 | 7.8 High | ||
| Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-24073 | 2025-05-06 | 7.8 High | ||
| Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-24074 | 2025-05-06 | 7.8 High | ||
| Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-29821 | 2025-05-06 | 5.5 Medium | ||
| Improper input validation in Dynamics Business Central allows an authorized attacker to disclose information locally. | ||||
| CVE-2018-6347 | 1 Proxygen Project | 1 Proxygen | 2025-05-06 | 7.5 High |
| An issue in the Proxygen handling of HTTP2 parsing of headers/trailers can lead to a denial-of-service attack. This affects Proxygen prior to v2018.12.31.00. | ||||
| CVE-2018-6343 | 1 Facebook | 1 Proxygen | 2025-05-06 | 7.5 High |
| Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue when parsing a Certificate/CertificateRequest HTTP2 Frame over a fizz (TLS 1.3) transport. This issue affects Proxygen releases starting from v2018.10.29.00 until the fix in v2018.11.19.00. | ||||
| CVE-2022-22658 | 1 Apple | 1 Iphone Os | 2025-05-06 | 6.5 Medium |
| An input validation issue was addressed with improved input validation. This issue is fixed in iOS 16.0.3. Processing a maliciously crafted email message may lead to a denial-of-service. | ||||
| CVE-2018-6333 | 1 Facebook | 1 Nuclide | 2025-05-06 | 9.8 Critical |
| The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0. | ||||
| CVE-2024-21742 | 1 Apache | 1 James Mime4j | 2025-05-06 | 5.3 Medium |
| Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. | ||||
| CVE-2023-52535 | 2 Google, Unisoc | 7 Android, Sc7731e, Sc9832e and 4 more | 2025-05-06 | 4.4 Medium |
| In vsp driver, there is a possible missing verification incorrect input. This could lead to local denial of service with no additional execution privileges needed | ||||
| CVE-2023-51747 | 1 Apache | 1 James | 2025-05-05 | 7.1 High |
| Apache James prior to versions 3.8.1 and 3.7.5 is vulnerable to SMTP smuggling. A lenient behaviour in line delimiter handling might create a difference of interpretation between the sender and the receiver which can be exploited by an attacker to forge an SMTP envelop, allowing for instance to bypass SPF checks. The patch implies enforcement of CRLF as a line delimiter as part of the DATA transaction. We recommend James users to upgrade to non vulnerable versions. | ||||
| CVE-2025-4260 | 2025-05-05 | 4.3 Medium | ||
| A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Affected by this issue is the function impsave of the file m\web\handler\admin\system\TemplateController.java. The manipulation of the argument dataFile leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-46340 | 2025-05-05 | 7.2 High | ||
| Misskey is an open source, federated social media platform. Starting in version 12.0.0 and prior to version 2025.4.1, due to an oversight in the validation performed in `UrlPreviewService` and `MkUrlPreview`, it is possible for an attacker to inject arbitrary CSS into the `MkUrlPreview` component. `UrlPreviewService.wrap` falls back to returning the original URL if it's using a protocol that is likely to not be understood by Misskey, IE something other than `http` or `https`. This both can de-anonymize users and_allow further attacks in the client. Additionally, `MkUrlPreview` doesn't escape CSS when applying a `background-image` property, allowing an attacker to craft a URL that applies arbitrary styles to the preview element. Theoretically, an attacker can craft a CSS injection payload to create a fake error message that can deceive the user into giving away their credentials or similar sensitive information. Version 2025.4.1 contains a patch for the issue. | ||||
| CVE-2022-47894 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin SAP.This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-31862 | 1 Apache | 1 Zeppelin | 2025-05-05 | 5.3 Medium |
| Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | ||||
| CVE-2022-43562 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-05-05 | 3 Low |
| In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-site scripting and cache poisoning. | ||||
| CVE-2022-43563 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-05-05 | 8.1 High |
| In Splunk Enterprise versions below 8.2.9 and 8.1.12, the way that the rex search command handles field names lets an attacker bypass SPL safeguards for risky commands https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SPLsafeguards . The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The attacker cannot exploit the vulnerability at will. | ||||