Export limit exceeded: 25186 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (25186 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52493 | 1 Pagerduty | 2 Runbook, Runbook Automation | 2026-01-02 | 6.5 Medium |
| PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page. | ||||
| CVE-2024-29883 | 1 Miraheze | 1 Createwiki | 2026-01-02 | 4.9 Medium |
| CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it. | ||||
| CVE-2025-67163 | 1 Simplemachines | 3 Simple Machine Forum, Simple Machines Forum, Smf | 2025-12-31 | 6.1 Medium |
| A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | ||||
| CVE-2025-63397 | 1 Oneflow | 1 Oneflow | 2025-12-31 | 6.5 Medium |
| Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. | ||||
| CVE-2024-47866 | 1 Redhat | 2 Ceph, Ceph Storage | 2025-12-31 | 7.5 High |
| Ceph is a distributed object, block, and file storage platform. In versions up to and including 19.2.3, using the argument `x-amz-copy-source` to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack. As of time of publication, no known patched versions exist. | ||||
| CVE-2025-62236 | 2 Flyfrontier, Frontier Airlines | 2 Frontier Airlines, Flyfrontier | 2025-12-31 | 5.3 Medium |
| The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks. | ||||
| CVE-2024-22770 | 1 Hitron | 2 Hvr-16781, Hvr-16781 Firmware | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2024-22768 | 1 Hitron | 2 Hvr-4781, Hvr-4781 Firmware | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2024-22772 | 2 Hitron, Hitronsystems | 3 Lguvr-8h, Lguvr-8h Firmware, Dvr Lguvr-8h | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2024-22769 | 1 Hitron | 2 Hvr-8781, Hvr-8781 Firmware | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2024-22771 | 2 Hitron, Hitronsystems | 3 Lguvr-4h, Lguvr-4h Firmware, Dvr Lguvr-4h Firmware | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2024-23842 | 1 Hitron | 2 Lguvr-16h, Lguvr-16h Firmware | 2025-12-31 | 7.4 High |
| Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | ||||
| CVE-2025-4166 | 2 Hashicorp, Openbao | 3 Vault, Vault Enterprise, Openbao | 2025-12-31 | 4.5 Medium |
| Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20. | ||||
| CVE-2023-52927 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-12-31 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl. | ||||
| CVE-2025-15121 | 1 Jeecg | 2 Jeecg Boot, Jeecgboot | 2025-12-30 | 2.4 Low |
| A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-63958 | 1 Millensys | 1 Vision Tools Workspace | 2025-12-30 | 9.8 Critical |
| MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | ||||
| CVE-2025-63729 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2025-12-30 | 9 Critical |
| An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | ||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-65278 | 2 Grocerymart Project, Komal97 | 2 Grocerymart, Grocerymart | 2025-12-30 | 7.5 High |
| An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | ||||
| CVE-2022-50686 | 1 Kentico | 1 Xperience | 2025-12-30 | 7.5 High |
| An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messages. Detailed error messages can expose internal system information and potentially reveal implementation details to unauthorized users. | ||||