Export limit exceeded: 11264 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11264 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-0674 | 1 Lamassu | 4 Douro, Douro Firmware, Douro Ii and 1 more | 2025-05-29 | 6.3 Medium |
| Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file. This would cause the watchdog process to run as root and execute the payload stored in the updatescript.js. | ||||
| CVE-2025-4687 | 2025-05-29 | N/A | ||
| In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account and their company can then be managed by the attacker.This issue affects RMS: before 5.7. | ||||
| CVE-2022-23126 | 1 Teslamate | 1 Teslamate | 2025-05-28 | 9.8 Critical |
| TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route. This occurs because an attacker can leverage Grafana login access to obtain a token for Tesla API calls. | ||||
| CVE-2024-13191 | 1 Zerowdd | 1 Myblog | 2025-05-28 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4051 | 1 Google | 1 Chrome | 2025-05-28 | 6.3 Medium |
| Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2024-57698 | 1 Modernwms | 1 Modernwms | 2025-05-28 | 7.5 High |
| An issue in modernwms v.1.0 allows an attacker view the MD5 hash of the administrator password and other attributes without authentication, even after initial configuration and password change. This happens due to excessive exposure of information and the lack of adequate access control on the /user/list?culture=en-us endpoint. | ||||
| CVE-2024-30187 | 1 Anope | 1 Anope | 2025-05-28 | 5.3 Medium |
| Anope before 2.0.15 does not prevent resetting the password of a suspended account. | ||||
| CVE-2023-31634 | 2 Teslamate, Teslamate Project | 2 Teslamate, Teslamate | 2025-05-28 | 9.8 Critical |
| In TeslaMate before 1.27.2, there is unauthorized access to port 4000 for remote viewing and operation of user data. After accessing the IP address for the TeslaMate instance, an attacker can switch the port to 3000 to enter Grafana for remote operations. At that time, the default username and password can be used to enter the Grafana management console without logging in, a related issue to CVE-2022-23126. | ||||
| CVE-2025-25225 | 1 Hikashop | 1 Hikashop | 2025-05-28 | 6.5 Medium |
| A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions. | ||||
| CVE-2023-45210 | 1 Pleasanter | 1 Pleasanter | 2025-05-28 | 4.3 Medium |
| Pleasanter 1.3.47.0 and earlier contains an improper access control vulnerability, which may allow a remote authenticated attacker to view the temporary files uploaded by other users who are not permitted to access. | ||||
| CVE-2022-32880 | 1 Apple | 1 Macos | 2025-05-28 | 6.5 Medium |
| This issue was addressed by enabling hardened runtime. This issue is fixed in macOS Monterey 12.5. An app may be able to access user-sensitive data. | ||||
| CVE-2025-46566 | 1 Dataease | 1 Dataease | 2025-05-28 | 9.8 Critical |
| DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9. | ||||
| CVE-2025-3123 | 1 Wondercms | 1 Wondercms | 2025-05-28 | 4.7 Medium |
| A vulnerability, which was classified as critical, has been found in WonderCMS 3.5.0. Affected by this issue is the function installUpdateModuleAction of the component Theme Installation/Plugin Installation. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he philosophy has always been, admin [...] bear responsibility to not install themes/plugins from untrusted sources." | ||||
| CVE-2025-28104 | 1 Dogukanurker | 1 Flaskblog | 2025-05-28 | 9.1 Critical |
| Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input. | ||||
| CVE-2022-41235 | 1 Jenkins | 1 Wildfly Deployer | 2025-05-28 | 5.3 Medium |
| Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2024-34257 | 1 Totolink | 2 Ex1800t, Ex1800t Firmware | 2025-05-28 | 9.8 Critical |
| TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges. | ||||
| CVE-2025-5247 | 2025-05-28 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in Gowabby HFish 0.1. This issue affects the function LoadUrl of the file \view\url.go. The manipulation of the argument r leads to improper authentication. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-48370 | 2025-05-28 | N/A | ||
| auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1. | ||||
| CVE-2025-3236 | 1 Tenda | 2 Fh1202, Fh1202 Firmware | 2025-05-28 | 5.3 Medium |
| A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been declared as critical. This vulnerability affects unknown code of the file /goform/VirSerDMZ of the component Web Management Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-3237 | 1 Tenda | 2 Fh1202, Fh1202 Firmware | 2025-05-28 | 5.3 Medium |
| A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been rated as critical. This issue affects some unknown processing of the file /goform/wrlwpsset. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||