Total
341 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-3942 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2025-06-04 | 4.3 Medium |
| Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. | ||||
| CVE-2024-45498 | 1 Apache | 1 Airflow | 2025-06-03 | 8.8 High |
| Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later. | ||||
| CVE-2023-7234 | 1 Integrationobjects | 1 Opc Ua Server Toolkit | 2025-06-02 | 5.3 Medium |
| OPCUAServerToolkit will write a log message once an OPC UA client has successfully connected containing the client's self-defined description field. | ||||
| CVE-2022-41322 | 2 Fedoraproject, Kitty Project | 2 Fedora, Kitty | 2025-06-01 | 7.8 High |
| In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, then click on a notification popup. | ||||
| CVE-2025-47280 | 1 Umbraco | 1 Umbraco Forms | 2025-05-22 | 6.1 Medium |
| Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability. | ||||
| CVE-2025-1308 | 2025-05-21 | N/A | ||
| A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions. | ||||
| CVE-2025-32974 | 1 Xwiki | 1 Xwiki | 2025-05-13 | 9.1 Critical |
| XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0. | ||||
| CVE-2025-23377 | 1 Dell | 1 Powerprotect Data Manager | 2025-05-13 | 4.2 Medium |
| Dell PowerProtect Data Manager Reporting, version(s) 19.17, 19.18 contain(s) an Improper Encoding or Escaping of Output vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to inject arbitrary web script or html in reporting outputs. | ||||
| CVE-2025-46347 | 1 Yeswiki | 1 Yeswiki | 2025-05-09 | 9.8 Critical |
| YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4. | ||||
| CVE-2021-42010 | 1 Apache | 1 Heron | 2025-05-07 | 9.8 Critical |
| Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue. | ||||
| CVE-2024-31866 | 2 Apache, Apache Software Foundation | 2 Zeppelin, Apache Zeppelin | 2025-05-05 | 9.8 Critical |
| Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | ||||
| CVE-2022-25235 | 6 Debian, Fedoraproject, Libexpat Project and 3 more | 12 Debian Linux, Fedora, Libexpat and 9 more | 2025-05-05 | 9.8 Critical |
| xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | ||||
| CVE-2022-23603 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2025-05-05 | 9.9 Critical |
| iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue. | ||||
| CVE-2023-28362 | 1 Redhat | 1 Satellite | 2025-05-02 | 4 Medium |
| The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | ||||
| CVE-2022-0421 | 1 Fivestarplugins | 1 Five Star Restaurant Reservations | 2025-04-30 | 6.1 Medium |
| The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due to the lack of sanitisation and escaping, attackers could perform Cross-Site Scripting attacks against a logged in admin viewing the failed payments | ||||
| CVE-2022-34316 | 1 Ibm | 1 Cics Tx | 2025-04-30 | 3.7 Low |
| IBM CICS TX 11.1 does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers. IBM X-Force ID: 229452. | ||||
| CVE-2022-40870 | 1 Parallels | 1 Remote Application Server | 2025-04-29 | 8.1 High |
| The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. This vulnerability allows attackers to execute arbitrary commands via a crafted payload injected into the Host header. | ||||
| CVE-2022-23620 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 6.8 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export. | ||||
| CVE-2022-29252 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 7.4 High |
| XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory. | ||||
| CVE-2022-29251 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 7.4 High |
| XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory. | ||||