Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22280 | 1 Br-automation | 1 Automation Studio | 2025-12-19 | N/A | 7.2 HIGH |
|
Improper DLL loading algorithms in B&R Automation Studio versions >=4.0 and <4.12 may allow an authenticated local attacker to execute code in the context of the product.
|
|||||
| CVE-2025-66923 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 7.2 HIGH |
|
A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter.
|
|||||
| CVE-2025-66921 | 1 Opensourcepos | 1 Open Source Point Of Sale | 2025-12-18 | N/A | 7.2 HIGH |
|
A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter.
|
|||||
| CVE-2025-43533 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2025-12-18 | N/A | 3.5 LOW |
|
Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash.
|
|||||
| CVE-2025-67170 | 1 Ritecms | 1 Ritecms | 2025-12-18 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload.
|
|||||
| CVE-2023-27043 | 3 Fedoraproject, Netapp, Python | 4 Fedora, Active Iq Unified Manager, Ontap Select Deploy Administration Utility and 1 more | 2025-12-17 | N/A | 5.3 MEDIUM |
|
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
|
|||||
| CVE-2025-43482 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 5.5 MEDIUM |
|
The issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3. An app may be able to cause a denial-of-service.
|
|||||
| CVE-2025-43472 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 7.8 HIGH |
|
A validation issue was addressed with improved input sanitization. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may be able to gain root privileges.
|
|||||
| CVE-2025-43458 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-17 | N/A | 4.3 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
|
|||||
| CVE-2025-43430 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-17 | N/A | 4.3 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
|
|||||
| CVE-2025-43427 | 1 Apple | 5 Ipados, Iphone Os, Safari and 2 more | 2025-12-17 | N/A | 4.3 MEDIUM |
|
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
|
|||||
| CVE-2025-43401 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 7.5 HIGH |
|
A denial-of-service issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. A remote attacker may be able to cause a denial-of-service.
|
|||||
| CVE-2025-43348 | 1 Apple | 1 Macos | 2025-12-17 | N/A | 5.5 MEDIUM |
|
A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may bypass Gatekeeper checks.
|
|||||
| CVE-2009-1525 | 1 Directadmin | 1 Directadmin | 2025-12-16 | 8.5 HIGH | N/A |
|
CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote authenticated users to gain privileges via shell metacharacters in the name parameter during a restore action.
|
|||||
| CVE-2025-40593 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-16 | N/A | 6.5 MEDIUM |
|
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0). The affected application allows to control the device by storing arbitrary files in the SFTP folder of the device. This could allow an attacker to cause a denial of service condition.
|
|||||
| CVE-2023-49252 | 1 Siemens | 2 Simatic Cn 4100, Simatic Cn 4100 Firmware | 2025-12-16 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V2.7). The affected application allows IP configuration change without authentication to the device. This could allow an attacker to cause denial of service condition.
|
|||||
| CVE-2025-54306 | 1 Thermofisher | 1 Torrent Suite Software | 2025-12-16 | N/A | 7.2 HIGH |
|
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that ...
Show More |
|||||
| CVE-2025-43494 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-12-16 | N/A | 7.5 HIGH |
|
A mail header parsing issue was addressed with improved checks. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. An attacker may be able to cause a persistent denial-of-service.
|
|||||
| CVE-2025-43464 | 1 Apple | 1 Macos | 2025-12-15 | N/A | 6.5 MEDIUM |
|
A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.1. Visiting a website may lead to an app denial-of-service.
|
|||||
| CVE-2025-14606 | 2025-12-15 | 4.6 MEDIUM | 5.0 MEDIUM | ||
|
A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue re ...
Show More |
|||||
| CVE-2025-9207 | 2025-12-15 | N/A | 5.3 MEDIUM | ||
|
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.
|
|||||
| CVE-2025-14156 | 2025-12-15 | N/A | 9.8 CRITICAL | ||
|
The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.
|
|||||
| CVE-2025-66451 | 1 Librechat | 1 Librechat | 2025-12-15 | N/A | 6.5 MEDIUM |
|
LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filterin ...
Show More |
|||||
| CVE-2025-62455 | 1 Microsoft | 8 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 5 more | 2025-12-12 | N/A | 7.8 HIGH |
|
Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-61812 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 8.4 HIGH |
|
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2025-61822 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 6.2 MEDIUM |
|
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed.
|
|||||
| CVE-2025-61809 | 1 Adobe | 1 Coldfusion | 2025-12-12 | N/A | 9.1 CRITICAL |
|
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged.
|
|||||
| CVE-2025-36929 | 1 Google | 1 Android | 2025-12-12 | N/A | 5.5 MEDIUM |
|
In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48594 | 1 Google | 1 Android | 2025-12-11 | N/A | 7.3 HIGH |
|
In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2025-40831 | 1 Siemens | 1 Sinec Security Monitor | 2025-12-10 | N/A | 6.5 MEDIUM |
|
A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). The affected application lacks input validation of date parameter in report generation functionality. This could allow an authenticated, lowly privileged attacker to cause denial of service condition of the report functionality.
|
|||||
| CVE-2025-0514 | 1 Libreoffice | 1 Libreoffice | 2025-12-10 | N/A | 7.8 HIGH |
|
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
|
|||||
| CVE-2025-62571 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2025-12-10 | N/A | 7.8 HIGH |
|
Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-1080 | 2 Debian, Libreoffice | 2 Debian Linux, Libreoffice | 2025-12-10 | N/A | 7.8 HIGH |
|
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments.
This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.
|
|||||
| CVE-2024-29838 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 7.5 HIGH |
|
The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user input, allowing for an unauthenticated attacker to crash the controller software
|
|||||
| CVE-2025-48566 | 1 Google | 1 Android | 2025-12-10 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-22432 | 1 Google | 1 Android | 2025-12-10 | N/A | 6.7 MEDIUM |
|
In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-48525 | 1 Google | 1 Android | 2025-12-09 | N/A | 7.8 HIGH |
|
In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-2296 | 2025-12-09 | N/A | N/A | ||
|
EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
|
|||||
| CVE-2025-40935 | 2025-12-09 | N/A | 4.3 MEDIUM | ||
|
A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.1), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.1), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.1), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.1), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.1 ...
Show More |
|||||
| CVE-2024-52051 | 2025-12-09 | N/A | 7.3 HIGH | ||
|
A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC S7-PLCSIM V18 (All versions), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 9), SIMATIC STEP 7 Safety V18 (All versions), SIMATIC STEP 7 Safety V19 (All versions < V19 Update 4), SIMATIC STEP 7 V17 (All versions < V17 Update 9), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All ...
Show More |
|||||