Export limit exceeded: 346175 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346175 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-24908 | 2026-04-15 | 6.8 Medium | ||
| Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service. Impact This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. | ||||
| CVE-2025-24909 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2026-04-15 | 4.4 Medium |
| Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface. Impact Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. | ||||
| CVE-2025-24911 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2026-04-15 | 4.9 Medium |
| Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611) Description Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference. Impact By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. | ||||
| CVE-2025-24914 | 1 Tenable | 1 Nessus | 2026-04-15 | 7.8 High |
| When installing Nessus to a non-default location on a Windows host, Nessus versions prior to 10.8.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. - CVE-2025-24914 | ||||
| CVE-2025-23722 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mind3dom Mind3doM RyeBread Widgets mind3dom-ryebread-widgets allows Reflected XSS.This issue affects Mind3doM RyeBread Widgets: from n/a through <= 1.0. | ||||
| CVE-2025-23723 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hdw player Plestar Directory Listing plestar-directory-listing allows Reflected XSS.This issue affects Plestar Directory Listing: from n/a through <= 1.0. | ||||
| CVE-2025-23724 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oleksandr87 University Quizzes Online university-quizzes-online allows Reflected XSS.This issue affects University Quizzes Online: from n/a through <= 1.4. | ||||
| CVE-2025-23725 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pshikli Accessibility Task Manager accessibility-task-manager allows Reflected XSS.This issue affects Accessibility Task Manager: from n/a through <= 1.2.1. | ||||
| CVE-2025-23728 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in atelierhyper AuMenu aumenu allows Reflected XSS.This issue affects AuMenu: from n/a through <= 1.1.5. | ||||
| CVE-2025-23743 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in MartijnScheijbeler Social Analytics social-analytics allows Stored XSS.This issue affects Social Analytics: from n/a through <= 0.2. | ||||
| CVE-2025-23745 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Tussendoor B.V. Call me Now call-me-now allows Stored XSS.This issue affects Call me Now: from n/a through <= 1.0.5. | ||||
| CVE-2025-23746 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Edem CMC MIGRATE cmc-migrate allows Reflected XSS.This issue affects CMC MIGRATE: from n/a through <= 0.0.3. | ||||
| CVE-2025-23747 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitesh Awesome Timeline awesome-timeline allows Stored XSS.This issue affects Awesome Timeline: from n/a through <= 1.0.1. | ||||
| CVE-2025-23749 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS.This issue affects mybb Last Topics: from n/a through <= 1.0. | ||||
| CVE-2025-14309 | 1 Ravynsoft | 1 Ravynos | 2026-04-15 | 7.5 High |
| NULL Pointer Dereference vulnerability in ravynsoft ravynos.This issue affects ravynos: through 0.5.2. | ||||
| CVE-2025-23751 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Data Dash data-dash allows Reflected XSS.This issue affects Data Dash: from n/a through <= 1.2.3. | ||||
| CVE-2025-23753 | 2026-04-15 | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digireturn DN Sitemap Control dn-sitemap-control allows Reflected XSS.This issue affects DN Sitemap Control: from n/a through <= 1.0.6. | ||||
| CVE-2025-23754 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops the-loops allows Reflected XSS.This issue affects The Loops: from n/a through <= 1.0.2. | ||||
| CVE-2025-23756 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivanchernyakov LawPress – Law Firm Website Management lawpress allows Reflected XSS.This issue affects LawPress – Law Firm Website Management: from n/a through <= 1.4.5. | ||||
| CVE-2025-23758 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pootlepress Pootle button pootle-button allows Reflected XSS.This issue affects Pootle button: from n/a through <= 1.2.0. | ||||