Total
4310 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11716 | 2 Google, Mozilla | 3 Android, Firefox, Thunderbird | 2025-10-16 | N/A | 6.5 MEDIUM |
| Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability affects Firefox < 144 and Thunderbird < 144. | |||||
| CVE-2025-2035 | 1 S-a-zhd | 1 Ecommerce-website-using-php | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in s-a-zhd Ecommerce-Website-using-PHP 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /customer_register.php. The manipulation of the argument name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-46014 | 1 Honor | 1 Pc Manager | 2025-10-15 | N/A | 8.8 HIGH |
| Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 was discovered to connect services to the named pipe iMateBookAssistant with default or overly permissive security attributes, leading to a privilege escalation. | |||||
| CVE-2024-1144 | 1 Alma | 1 Alma Blog | 2025-10-15 | N/A | 6.5 MEDIUM |
| Improper access control vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an unauthenticated user to access the application's functionalities without the need for credentials. | |||||
| CVE-2024-12478 | 1 Invoiceplane | 1 Invoiceplane | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | |||||
| CVE-2024-13211 | 1 Singmr | 1 Houserent | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in SingMR HouseRent 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/main/java/com/house/wym/controller/AdminController.java. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-13212 | 1 Singmr | 1 Houserent | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in SingMR HouseRent 1.0. This affects the function singleUpload/upload of the file src/main/java/com/house/wym/controller/AddHouseController.java. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3398 | 1 Lenve | 1 Vblog | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function configure of the file blogserver/src/main/java/org/sang/config/WebSecurityConfig.java. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-3790 | 1 Jsite | 1 Jsite | 2025-10-15 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability classified as critical has been found in baseweb JSite 1.0. This affects an unknown part of the file /druid/index.html of the component Apache Druid Monitoring Console. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3807 | 1 Zhenfeng13 | 1 My-bbs | 2025-10-15 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. This affects the function Upload of the file src/main/java/com/my/bbs/controller/common/UploadController.java of the component Endpoint. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-45611 | 1 Java-aodeng | 1 Hope-boot | 2025-10-14 | N/A | 9.8 CRITICAL |
| Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request. | |||||
| CVE-2025-45613 | 1 Zhaojun1998 | 1 Shiro-action | 2025-10-14 | N/A | 7.5 HIGH |
| Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload. | |||||
| CVE-2025-45614 | 1 Lcw2004 | 1 One | 2025-10-14 | N/A | 7.5 HIGH |
| Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload. | |||||
| CVE-2025-48707 | 1 Stormshield | 1 Stormshield Network Security | 2025-10-14 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing. | |||||
| CVE-2025-10398 | 1 Fcba Zzm | 1 Smart Park Management System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument File results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-11655 | 2025-10-14 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A security flaw has been discovered in Total.js Flow up to 673ef9144dd25d4f4fd4fdfda5af27f230198924. The impacted element is an unknown function of the component SVG File Handler. Performing manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-62159 | 2025-10-14 | N/A | N/A | ||
| External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. A vulnerability was discovered in the BeyondTrust provider implementation for External Secrets Operator versions 0.10.1 through 0.19.2. The provider previously retrieved Kubernetes secrets directly, without validating the namespace context or the type of secret store. This allowed unauthorized cross-namespace secret access, violating security boundaries and potentially exposing sensitive credentials. In version 0.20.0, the provider code was updated to use the `resolvers.SecretKeyRef` utility, which enforces namespace validation and only allows cross-namespace access for `ClusterSecretStore` types. This ensures secrets are only retrieved from the correct namespace, mitigating the risk of unauthorized access. All users should upgrade to the latest version containing this fix. As a workaround, use a policy engine such as Kyverno or OPA to prevent using BeyondTrust provider and/or validate the `(Cluster)SecretStore` and ensure the namespace may only be set when using a `ClusterSecretStore`. | |||||
| CVE-2025-0033 | 2025-10-14 | N/A | 6.0 MEDIUM | ||
| Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity. | |||||
| CVE-2025-54603 | 2025-10-14 | N/A | 6.5 MEDIUM | ||
| An incorrect OIDC authentication flow in Claroty Secure Access 3.3.0 through 4.0.2 can result in unauthorized user creation or impersonation of existing OIDC users. | |||||
| CVE-2025-11354 | 1 Fabian | 1 Online Hotel Reservation System | 2025-10-14 | 6.5 MEDIUM | 6.3 MEDIUM |
| A flaw has been found in code-projects Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/addslideexec.php. Executing manipulation of the argument image can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. | |||||