Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3368 | 1 Avira | 1 Avira Security | 2025-05-10 | N/A | 7.3 HIGH |
|
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.
|
|||||
| CVE-2025-3224 | 1 Docker | 1 Desktop | 2025-05-10 | N/A | 7.8 HIGH |
|
A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privileges to SYSTEM. During an update, Docker Desktop attempts to delete files and subdirectories under the path C:\ProgramData\Docker\config with high privileges. However, this directory often does not exist by default, and C:\ProgramData\ allows normal users to create new directories. By creating a malicious Docker\config folder structure at thi ...
Show More |
|||||
| CVE-2023-50290 | 1 Apache | 1 Solr | 2025-05-09 | N/A | 6.5 MEDIUM |
|
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.
The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users are able to specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host, unlike Java system pro ...
Show More |
|||||
| CVE-2023-24626 | 1 Gnu | 1 Screen | 2025-05-09 | N/A | 6.5 MEDIUM |
|
socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.
|
|||||
| CVE-2025-46330 | 1 Snowflake | 1 Connector For C\/c\+\+ | 2025-05-09 | N/A | 3.3 LOW |
|
libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, incorrectly treat malformed requests that caused the HTTP response status code 400, as able to be retried. This could hang the application until SF_CON_MAX_RETRY requests were sent. This issue has been patched in version 2.2.0.
|
|||||
| CVE-2024-58252 | 1 Huawei | 1 Harmonyos | 2025-05-09 | N/A | 6.2 MEDIUM |
|
Vulnerability of insufficient information protection in the media library module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-21111 | 2 Microsoft, Oracle | 2 Windows, Vm Virtualbox | 2025-05-09 | N/A | 7.8 HIGH |
|
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confide ...
Show More |
|||||
| CVE-2022-33180 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | N/A | 5.5 MEDIUM |
|
A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5 could allow a local authenticated attacker to export out sensitive files with “seccryptocfg”, “configupload”.
|
|||||
| CVE-2022-33179 | 1 Broadcom | 1 Fabric Operating System | 2025-05-09 | N/A | 8.8 HIGH |
|
A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, and 7.4.2j could allow a local authenticated user to break out of restricted shells with “set context” and escalate privileges.
|
|||||
| CVE-2024-0881 | 1 Pickplugins | 1 Post Grid | 2025-05-09 | N/A | 5.4 MEDIUM |
|
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts
|
|||||
| CVE-2022-31684 | 1 Pivotal | 1 Reactor Netty | 2025-05-09 | N/A | 4.3 MEDIUM |
|
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
|
|||||
| CVE-2022-23241 | 1 Netapp | 1 Clustered Data Ontap | 2025-05-09 | N/A | 8.1 HIGH |
|
Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period.
|
|||||
| CVE-2016-20016 | 1 Mvpower | 4 Tv-7104he, Tv-7104he Firmware, Tv7108he and 1 more | 2025-05-09 | N/A | 9.8 CRITICAL |
|
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.
|
|||||
| CVE-2022-43045 | 1 Gpac | 1 Gpac | 2025-05-09 | N/A | 5.5 MEDIUM |
|
GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.
|
|||||
| CVE-2022-43044 | 1 Gpac | 1 Gpac | 2025-05-09 | N/A | 5.5 MEDIUM |
|
GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.
|
|||||
| CVE-2022-43043 | 1 Gpac | 1 Gpac | 2025-05-09 | N/A | 5.5 MEDIUM |
|
GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.
|
|||||
| CVE-2025-3471 | 1 Brainstormforce | 1 Sureforms | 2025-05-09 | N/A | 4.9 MEDIUM |
|
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
|
|||||
| CVE-2023-6257 | 1 Data443 | 1 Inline Related Posts | 2025-05-09 | N/A | 4.3 MEDIUM |
|
The Inline Related Posts WordPress plugin before 3.6.0 is missing authorization in an AJAX action to ensure that users are allowed to see the content of the posts displayed, allowing any authenticated user, such as subscriber to retrieve the content of password protected posts
|
|||||
| CVE-2024-1290 | 1 Strategy11 | 1 User Registration Forms | 2025-05-09 | N/A | 6.5 MEDIUM |
|
The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.
|
|||||
| CVE-2022-43424 | 1 Jenkins | 2 Compuware Xpediter Code Coverage, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
|
|||||
| CVE-2022-43416 | 1 Jenkins | 2 Jenkins, Katalon | 2025-05-08 | N/A | 8.8 HIGH |
|
Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invok ...
Show More |
|||||
| CVE-2022-43414 | 1 Jenkins | 1 Nunit | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.
|
|||||
| CVE-2022-43039 | 1 Gpac | 1 Gpac | 2025-05-08 | N/A | 5.5 MEDIUM |
|
GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.
|
|||||
| CVE-2022-41709 | 1 Markdownify Project | 1 Markdownify | 2025-05-08 | N/A | 7.8 HIGH |
|
Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled.
|
|||||
| CVE-2022-41707 | 1 Relatedcode | 1 Messenger | 2025-05-08 | N/A | 6.5 MEDIUM |
|
Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access sensitive data of any user of the application. This is possible because the application exposes user data to the public.
|
|||||
| CVE-2024-1849 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2025-05-08 | N/A | 5.4 MEDIUM |
|
The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL
|
|||||
| CVE-2024-12274 | 1 Codepeople | 1 Appointment Booking Calendar | 2025-05-08 | N/A | 7.5 HIGH |
|
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
|
|||||
| CVE-2022-43434 | 1 Jenkins | 1 Neuvector Vulnerability Scanner | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
|
|||||
| CVE-2022-43433 | 1 Jenkins | 1 Screenrecorder | 2025-05-08 | N/A | 4.3 MEDIUM |
|
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
|
|||||
| CVE-2022-43432 | 1 Jenkins | 1 Xframium Builder | 2025-05-08 | N/A | 4.3 MEDIUM |
|
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
|
|||||
| CVE-2022-43429 | 1 Jenkins | 2 Compuware Topaz For Total Test, Jenkins | 2025-05-08 | N/A | 7.5 HIGH |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.
|
|||||
| CVE-2022-43428 | 1 Jenkins | 2 Compuware Topaz For Total Test, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
|
|||||
| CVE-2022-43426 | 1 Jenkins | 1 S3 Explorer | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.
|
|||||
| CVE-2022-43423 | 1 Jenkins | 2 Compuware Source Code Download For Endevor\, Pds\, And Ispw, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
|
|||||
| CVE-2022-43422 | 1 Jenkins | 2 Compuware Topaz Utilities, Jenkins | 2025-05-08 | N/A | 5.3 MEDIUM |
|
Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
|
|||||
| CVE-2022-31690 | 2 Netapp, Vmware | 2 Active Iq Unified Manager, Spring Security | 2025-05-08 | N/A | 8.1 HIGH |
|
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RF ...
Show More |
|||||
| CVE-2025-23212 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 7.7 HIGH |
|
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.
|
|||||
| CVE-2024-2505 | 1 Gamipress | 1 Gamipress | 2025-05-08 | N/A | 8.1 HIGH |
|
The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations.
|
|||||
| CVE-2020-9285 | 1 Sonos | 2 One, One Firmware | 2025-05-08 | N/A | 6.8 MEDIUM |
|
Some versions of Sonos One (1st and 2nd generation) allow partial or full memory access via attacker controlled hardware that can be attached to the Mini-PCI Express slot on the motherboard that hosts the WiFi card on the device.
|
|||||
| CVE-2016-3539 | 1 Oracle | 1 Agile Product Lifecycle Management | 2025-05-08 | 7.5 HIGH | 7.1 HIGH |
|
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect integrity and availability via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-3538.
|
|||||