Total
5382 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10274 | 2 10oa, Erjinzhi | 2 10oa, 10oa | 2025-10-02 | 4.3 Medium |
| A security flaw has been discovered in erjinzhi 10OA 1.0. Affected by this issue is some unknown functionality of the file /trial/mvc/item. Performing manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59952 | 1 Minio | 1 Minio | 2025-10-02 | 7.5 High |
| MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including credentials, file paths, or system configuration details, if such references were present in XML content from untrusted sources. This is fixed in version 8.6.0. | ||||
| CVE-2025-56588 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp/crm | 2025-10-02 | 8.8 High |
| Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter. | ||||
| CVE-2025-61588 | 1 Risc Zero Project | 1 Risc Zero | 2025-10-02 | N/A |
| RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. In versions 2.0.2 and below of risc0-zkvm-platform, when the zkVM guest calls sys_read, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program. Other affected packages include risc0-aggregation versions below 0.9, risc0-zkos-v1compat below 2.1.0, risc0-zkvm versions between 3.0.0-rc.1 and 3.0.1. This issue has been fixed in the following versions: risc0-zkvm-platform 2.1.0, risc0-zkos-v1compat 2.1.0, risc0-aggregation 0.9, and risc0-zkvm 2.3.2 and 3.0.3. | ||||
| CVE-2025-26260 | 1 Plenti | 1 Plenti | 2025-10-02 | 8.8 High |
| Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. | ||||
| CVE-2025-2974 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 3.5 Low |
| A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3219 | 1 Perfexcrm | 1 Perfex Crm | 2025-10-02 | 3.5 Low |
| A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-59251 | 1 Microsoft | 1 Edge Chromium | 2025-10-02 | 7.6 High |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | ||||
| CVE-2024-51941 | 1 Apache | 1 Ambari | 2025-10-02 | 8.8 High |
| A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari. | ||||
| CVE-2025-23307 | 1 Nvidia | 2 Nemo, Nemo Curator | 2025-10-01 | 7.8 High |
| NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-23265 | 1 Nvidia | 1 Megatron-lm | 2025-10-01 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Escalation of Privileges, Information Disclosure and Data Tampering. | ||||
| CVE-2025-23264 | 1 Nvidia | 1 Megatron-lm | 2025-10-01 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Escalation of Privileges, Information Disclosure and Data Tampering. | ||||
| CVE-2024-44758 | 2 Erp, Nuserp | 2 Management Software, Nus-m9 Erp | 2025-10-01 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. | ||||
| CVE-2024-44757 | 2 Erp, Nuserp | 2 Management Software, Nus-m9 Erp | 2025-10-01 | 7.5 High |
| An arbitrary file download vulnerability in the component /Basics/DownloadInpFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. | ||||
| CVE-2025-5713 | 1 Isolucoesweb | 1 Solucoescoop | 2025-10-01 | 3.5 Low |
| A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250519 and classified as problematic. Affected by this issue is some unknown functionality of the file /fluxos-dashboard of the component Flow Handler. The manipulation of the argument Descrição da solicitação leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
| CVE-2025-7053 | 2 Agentejo, Cockpit-hq | 2 Cockpit, Cockpit | 2025-10-01 | 3.5 Low |
| A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly. | ||||
| CVE-2024-9050 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2025-10-01 | 7.8 High |
| A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration. | ||||
| CVE-2024-1297 | 1 Loomio | 1 Loomio | 2025-09-30 | 10 Critical |
| Loomio version 2.22.0 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to OS Command Injection. | ||||
| CVE-2024-13080 | 1 Phpgurukul | 1 Land Record System | 2025-09-30 | 3.5 Low |
| A vulnerability was found in PHPGurukul Land Record System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/aboutus.php. The manipulation of the argument Page Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-11078 | 2 Anisha, Code-projects | 2 Job Recruitment, Job Recruitment | 2025-09-30 | 3.5 Low |
| A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /register.php. The manipulation of the argument e/role leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||