Export limit exceeded: 16342 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10283 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68110 | 1 Churchcrm | 1 Churchcrm | 2025-12-18 | 10 Critical |
| ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue. | ||||
| CVE-2023-4580 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-12-18 | 6.5 Medium |
| Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2. | ||||
| CVE-2021-3426 | 6 Debian, Fedoraproject, Netapp and 3 more | 11 Debian Linux, Fedora, Cloud Backup and 8 more | 2025-12-18 | 5.7 Medium |
| There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7. | ||||
| CVE-2018-15919 | 2 Netapp, Openbsd | 7 Cloud Backup, Cn1610, Cn1610 Firmware and 4 more | 2025-12-18 | 5.3 Medium |
| Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' | ||||
| CVE-2025-11670 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2025-12-18 | 6.4 Medium |
| Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the “Impersonate as Admin” option enabled. | ||||
| CVE-2024-37325 | 1 Microsoft | 2 Azure Data Science Virtual Machine, Azure Data Science Virtual Machines | 2025-12-17 | 8.1 High |
| Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability | ||||
| CVE-2024-35263 | 1 Microsoft | 1 Dynamics 365 | 2025-12-17 | 5.7 Medium |
| Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | ||||
| CVE-2024-30096 | 1 Microsoft | 15 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 12 more | 2025-12-17 | 5.5 Medium |
| Windows Cryptographic Services Information Disclosure Vulnerability | ||||
| CVE-2018-15473 | 7 Canonical, Debian, Netapp and 4 more | 25 Ubuntu Linux, Debian Linux, Aff Baseboard Management Controller and 22 more | 2025-12-17 | 5.9 Medium |
| OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. | ||||
| CVE-2017-7526 | 3 Canonical, Debian, Gnupg | 3 Ubuntu Linux, Debian Linux, Libgcrypt | 2025-12-17 | N/A |
| libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. | ||||
| CVE-2025-65820 | 2 Google, Meatmeet | 2 Android, Meatmeet | 2025-12-17 | 9.8 Critical |
| An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which is not available through the normal flows of the application, contains several devices which can be added to your account, two of which have not been publicly released. As a result of this vulnerability, the attacker can gain insight into unreleased Meatmeet devices. | ||||
| CVE-2025-54304 | 1 Thermofisher | 2 Ion Torrent Onetouch 2, Ion Torrent Onetouch 2 Firmware | 2025-12-16 | 9.8 Critical |
| An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-56427 | 2 Composio, Composiohq | 2 Composio, Composio | 2025-12-16 | 7.5 High |
| Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function. | ||||
| CVE-2025-20158 | 1 Cisco | 10 Desk Phone 9841, Desk Phone 9841 Firmware, Desk Phone 9851 and 7 more | 2025-12-15 | 4.4 Medium |
| A vulnerability in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials with SSH access on the affected device. SSH access is disabled by default. This vulnerability is due to insufficient validation of user-supplied input by the debug shell of an affected device. An attacker could exploit this vulnerability by sending a crafted SSH client command to the CLI. A successful exploit could allow the attacker to access sensitive information on the underlying operating system. | ||||
| CVE-2025-14528 | 1 Dlink | 2 Dir-803, Dir-803 Firmware | 2025-12-15 | 5.3 Medium |
| A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2025-25951 | 1 Serosoft | 1 Academia Student Information System | 2025-12-12 | 7.5 High |
| An information disclosure vulnerability in the component /rest/cb/executeBasicSearch of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access sensitive user information. | ||||
| CVE-2025-67718 | 1 Form | 1 Form.io | 2025-12-12 | N/A |
| Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3. | ||||
| CVE-2025-9398 | 1 Wanglongcn | 1 Yifang | 2025-12-11 | 5.3 Medium |
| A security vulnerability has been detected in YiFang CMS up to 2.0.5. Affected by this vulnerability is the function exportInstallTable of the file app/utils/base/database/Migrate.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-53840 | 1 Icinga | 1 Icinga Db Web | 2025-12-11 | 2.4 Low |
| Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3. | ||||
| CVE-2025-14198 | 1 Verysync | 1 Verysync | 2025-12-11 | 5.3 Medium |
| A vulnerability was detected in Verysync 微力同步 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||