Total
29787 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-50333 | 1 Mattermost | 1 Mattermost Server | 2025-06-17 | 3.7 Low |
| Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to change group names. | ||||
| CVE-2024-25677 | 1 Minbrowser | 1 Min | 2025-06-16 | 8.8 High |
| In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document. | ||||
| CVE-2023-51065 | 1 Qstar | 1 Archive Storage Manager | 2025-06-16 | 7.5 High |
| Incorrect access control in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to obtain system backups and other sensitive information from the QStar Server. | ||||
| CVE-2024-44106 | 1 Ivanti | 2 Automation, Workspace Control | 2025-06-12 | 8.8 High |
| Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. | ||||
| CVE-2023-20261 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-06-12 | 6.5 Medium |
| A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to retrieve arbitrary files from an affected system. This vulnerability is due to improper validation of parameters that are sent to the web UI. An attacker could exploit this vulnerability by logging in to Cisco Catalyst SD-WAN Manager and issuing crafted requests using the web UI. A successful exploit could allow the attacker to obtain arbitrary files from the underlying Linux file system of an affected system. To exploit this vulnerability, the attacker must be an authenticated user. | ||||
| CVE-2022-26461 | 2 Google, Mediatek | 15 Android, Mt6833, Mt6853 and 12 more | 2025-06-12 | 6.7 Medium |
| In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604. | ||||
| CVE-2023-47132 | 1 N-able | 1 N-central | 2025-06-11 | 9.8 Critical |
| An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. | ||||
| CVE-2021-24566 | 1 Pluginus | 1 Fox - Currency Switcher Professional For Woocommerce | 2025-06-11 | 8.8 High |
| The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode. | ||||
| CVE-2023-43609 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2025-06-10 | 6.9 Medium |
| In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition. | ||||
| CVE-2025-31134 | 1 Freshrss | 1 Freshrss | 2025-06-10 | 7.5 High |
| FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue. | ||||
| CVE-2013-6954 | 2 Libpng, Redhat | 4 Libpng, Network Satellite, Rhel Extras and 1 more | 2025-06-10 | 6.5 Medium |
| The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c. | ||||
| CVE-2023-48239 | 1 Nextcloud | 1 Nextcloud Server | 2025-06-10 | 8.5 High |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. | ||||
| CVE-2023-5815 | 1 Infornweb | 2 News \& Blog Designer Pack, News \& Blog Designer Pack Wordpress Blog Plugin | 2025-06-10 | 8.1 High |
| The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE. | ||||
| CVE-2023-50082 | 1 Pbootcms | 1 Pbootcms | 2025-06-09 | 7.5 High |
| Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Control, allows remote attackers to gain sensitive information via session leakage allows a user to avoid logging into the backend management platform. | ||||
| CVE-2025-47540 | 1 Wedevs | 1 Wemail | 2025-06-09 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13. | ||||
| CVE-2016-3189 | 2 Bzip, Python | 2 Bzip2, Python | 2025-06-09 | 6.5 Medium |
| Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block. | ||||
| CVE-2024-0212 | 1 Cloudflare | 1 Cloudflare | 2025-06-06 | 8.1 High |
| The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API. | ||||
| CVE-2020-8929 | 1 Google | 1 Tink Java | 2025-06-05 | 5.3 Medium |
| A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext. | ||||
| CVE-2023-44289 | 1 Dell | 1 Command\|configure | 2025-06-05 | 7.3 High |
| Dell Command | Configure versions prior to 4.11.0, contain an improper access control vulnerability. A local malicious standard user could potentially exploit this vulnerability while repairing/changing installation, leading to privilege escalation. | ||||
| CVE-2025-49002 | 1 Dataease | 1 Dataease | 2025-06-05 | 9.8 Critical |
| DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available. | ||||