Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22233 | 2025-05-19 | N/A | 3.1 LOW | ||
|
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
* 6.2.0 - 6.2.6
* 6.1.0 - 6.1.19
* 6.0.0 - 6.0.27
* 5.3.0 - 5.3.42
* Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresp ...
Show More |
|||||
| CVE-2025-22235 | 2025-05-16 | N/A | 7.3 HIGH | ||
|
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
* You use Spring Security
* EndpointRequest.to() has been used in a Spring Security chain configuration
* The endpoint which EndpointRequest references is disabled or not exposed via web
* Your application handles requests to /null and this path needs ...
Show More |
|||||
| CVE-2025-21094 | 2025-05-16 | N/A | 7.5 HIGH | ||
|
Improper input validation in the UEFI firmware DXE module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2025-24308 | 2025-05-16 | N/A | 7.5 HIGH | ||
|
Improper input validation in the UEFI firmware error handler for the Intel(R) Server D50DNP and M50FCP may allow a privileged user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2025-20034 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
|
Improper input validation in the BackupBiosUpdate UEFI firmware SmiVariable driver for the Intel(R) Server D50DNP and M50FCP boards before version R01.02.0003 may allow a privileged user to potentially enable information disclosure via local access.
|
|||||
| CVE-2025-20009 | 2025-05-16 | N/A | 4.1 MEDIUM | ||
|
Improper input validation in the UEFI firmware GenerationSetup module for the Intel(R) Server D50DNP and M50FCP boards may allow a privileged user to potentially enable information disclosure via local access.
|
|||||
| CVE-2025-20031 | 2025-05-16 | N/A | 6.5 MEDIUM | ||
|
Improper input validation for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2025-4701 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserialization. It is possible to launch the attack on the local host.
|
|||||
| CVE-2025-4762 | 2025-05-16 | N/A | N/A | ||
|
Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.
|
|||||
| CVE-2024-53827 | 2025-05-16 | N/A | 7.5 HIGH | ||
|
Ericsson Packet Core Controller (PCC) contains a
vulnerability where an attacker sending a large volume of specially
crafted messages may cause service degradation
|
|||||
| CVE-2025-2305 | 2025-05-16 | N/A | 8.6 HIGH | ||
|
A Path traversal vulnerability in the file
download functionality was identified. This vulnerability allows
unauthenticated users to download arbitrary files, in the context of the
application server, from the Linux server.
|
|||||
| CVE-2025-4742 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Affected is the function main of the file grpo_vanilla.py. The manipulation leads to deserialization. Local access is required to approach this attack. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
|
|||||
| CVE-2025-4740 | 2025-05-16 | 4.3 MEDIUM | 5.3 MEDIUM | ||
|
A vulnerability was found in BeamCtrl Airiana up to 11.0. It has been declared as problematic. This vulnerability affects unknown code of the file coef. The manipulation leads to deserialization. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42175 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 2.6 LOW |
|
HCL MyXalytics is affected by a weak input validation vulnerability. The application accepts special characters and there is no length validation. This can lead to security vulnerabilities like SQL injection, XSS, and buffer overflow.
|
|||||
| CVE-2025-3250 | 1 Eladmin | 1 Eladmin | 2025-05-15 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in elunez eladmin 2.7. Affected by this issue is some unknown functionality of the file /api/database/testConnect of the component Maintenance Management Module. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-38985 | 1 Huawei | 2 Emui, Harmonyos | 2025-05-15 | N/A | 7.5 HIGH |
|
The facial recognition module has a vulnerability in input validation.Successful exploitation of this vulnerability may affect data confidentiality.
|
|||||
| CVE-2024-24981 | 2025-05-14 | N/A | 7.5 HIGH | ||
|
Improper input validation in PfrSmiUpdateFw driver in UEFI firmware for some Intel(R) Server M50FCP Family products may allow a privileged user to enable escalation of privilege via local access.
|
|||||
| CVE-2017-7517 | 1 Redhat | 1 Openshift | 2025-05-13 | N/A | 3.5 LOW |
|
An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called "MyProject", and then later deletes it another user can then create a project called "MyProject" and access the metrics stored from the original "MyProject" instance.
|
|||||
| CVE-2025-0734 | 1 Ruoyi | 1 Ruoyi | 2025-05-13 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability has been found in y_project RuoYi up to 4.8.0 and classified as critical. This vulnerability affects the function getBeanName of the component Whitelist. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-40556 | 2025-05-13 | N/A | 6.5 MEDIUM | ||
|
A vulnerability has been identified in BACnet ATEC 550-440 (All versions), BACnet ATEC 550-441 (All versions), BACnet ATEC 550-445 (All versions), BACnet ATEC 550-446 (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a denial of service condition of the targeted device. A power cycle is required to restore the device's normal operation ...
Show More |
|||||
| CVE-2025-24510 | 2025-05-13 | N/A | 6.5 MEDIUM | ||
|
A vulnerability has been identified in MS/TP Point Pickup Module (All versions). Affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a denial of service condition of the targeted device. A power cycle is required to restore the device's normal operation.
|
|||||
| CVE-2025-29784 | 1 Namelessmc | 1 Nameless | 2025-05-13 | N/A | 7.5 HIGH |
|
NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the s parameter in GET requests for forum search functionality lacks length validation, allowing attackers to submit excessively long search queries. This oversight can lead to performance degradation and potential denial-of-service (DoS) attacks. This issue has been patched in version 2.2.0.
|
|||||
| CVE-2024-25016 | 1 Ibm | 2 Mq, Mq Appliance | 2025-05-12 | N/A | 7.5 HIGH |
|
IBM MQ and IBM MQ Appliance 9.0, 9.1, 9.2, 9.3 LTS and 9.3 CD could allow a remote unauthenticated attacker to cause a denial of service due to incorrect buffering logic. IBM X-Force ID: 281279.
|
|||||
| CVE-2025-30391 | 1 Microsoft | 1 Dynamics 365 Customer Service | 2025-05-12 | N/A | 8.1 HIGH |
|
Improper input validation in Microsoft Dynamics allows an unauthorized attacker to disclose information over a network.
|
|||||
| CVE-2025-46574 | 1 Zte | 1 Zxcloud Goldendb | 2025-05-12 | N/A | 4.1 MEDIUM |
|
There is an information disclosure vulnerability in the GoldenDB database product. Attackers can exploit error messages to obtain the system's sensitive information.
|
|||||
| CVE-2025-4376 | 2025-05-12 | N/A | N/A | ||
|
Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server's WebEA model search field allows Cross-Site Scripting (XSS).
This issue affects Pro Cloud Server: earlier than 6.0.165.
|
|||||
| CVE-2025-4377 | 2025-05-12 | N/A | N/A | ||
|
Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server.
This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem.
Logview is accessible on Pro Cloud Server Configuration interface.
This issue affects Pro Cloud Server: earlier than 6.0.165.
|
|||||
| CVE-2023-22342 | 1 Intel | 1 Thunderbolt Dch Driver | 2025-05-12 | N/A | 7.7 HIGH |
|
Improper input validation in some Intel(R) Thunderbolt(TM) DCH drivers for Windows before version 88 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2024-45577 | 1 Qualcomm | 20 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 17 more | 2025-05-09 | N/A | 7.8 HIGH |
|
Memory corruption while invoking IOCTL calls from userspace to camera kernel driver to dump request information.
|
|||||
| CVE-2024-45579 | 1 Qualcomm | 20 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 17 more | 2025-05-09 | N/A | 7.8 HIGH |
|
Memory corruption may occur when invoking IOCTL calls from userspace to the camera kernel driver to dump request information, due to a missing memory requirement check.
|
|||||
| CVE-2024-49845 | 1 Qualcomm | 292 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 289 more | 2025-05-09 | N/A | 7.8 HIGH |
|
Memory corruption during the FRS UDS generation process.
|
|||||
| CVE-2025-21460 | 1 Qualcomm | 72 Qam8255p, Qam8255p Firmware, Qam8295p and 69 more | 2025-05-09 | N/A | 7.8 HIGH |
|
Memory corruption while processing a message, when the buffer is controlled by a Guest VM, the value can be changed continuously.
|
|||||
| CVE-2022-1414 | 1 Redhat | 1 3scale Api Management | 2025-05-09 | N/A | 8.8 HIGH |
|
3scale API Management 2 does not perform adequate sanitation for user input in multiple fields. An authenticated user could use this flaw to inject scripts and possibly gain access to sensitive information or conduct further attacks.
|
|||||
| CVE-2024-11636 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2025-05-08 | N/A | 4.8 MEDIUM |
|
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-27612 | 1 Numbas | 1 Editor | 2025-05-08 | N/A | 6.2 MEDIUM |
|
Numbas editor before 7.3 mishandles editing of themes and extensions.
|
|||||
| CVE-2025-40846 | 2025-05-08 | N/A | N/A | ||
|
Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack.
The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21
|
|||||
| CVE-2022-33178 | 1 Broadcom | 1 Fabric Operating System | 2025-05-07 | N/A | 7.2 HIGH |
|
A vulnerability in the radius authentication system of Brocade Fabric OS before Brocade Fabric OS 9.0 could allow a remote attacker to execute arbitrary code on the Brocade switch.
|
|||||
| CVE-2022-3676 | 1 Eclipse | 1 Openj9 | 2025-05-07 | N/A | 6.5 MEDIUM |
|
In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.
|
|||||
| CVE-2022-42468 | 1 Apache | 1 Flume | 2025-05-07 | N/A | 9.8 CRITICAL |
|
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
|
|||||
| CVE-2018-6335 | 1 Facebook | 1 Hhvm | 2025-05-06 | 5.0 MEDIUM | 7.5 HIGH |
|
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests.
|
|||||