VIR Vulnerability Intelligence Relay

Search

Found 20,975 results in 750ms · Match type: Filtered list

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2024-8008 unknown 1y ago WSO2 products vulnerable to Cross-site Scripting
CVE-2024-1440 unknown 1y ago WSO2 is vulnerable to Open Redirect through multi-option URL in its authentication endpoint
CVE-2025-3935 unknown 1.5 KEV 1y ago ConnectWise ScreenConnect contains an improper authentication vulnerability. This vulnerability could allow a ViewState code injection attack, which could allow remote code execution if machine keys …
CVE-2023-39780 unknown 1.5 KEV 1y ago ASUS RT-AX55 devices contain an OS command injection vulnerability that could allow a remote, authenticated attacker to execute arbitrary commands. As represented by CVE-2023-41346.
CVE-2021-32030 unknown 1.5 KEV 1y ago ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products c…
CVE-2025-48955 unknown 1y ago Para Server Logs Sensitive Information
CVE-2024-7096 unknown 1y ago WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
CVE-2025-41235 unknown 1y ago Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies
CVE-2025-48889 unknown 1y ago Gradio Allows Unauthorized File Copy via Path Manipulation
CVE-2025-48881 unknown 1y ago Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users
CVE-2025-27528 unknown 1y ago Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read
CVE-2025-27526 unknown 1y ago Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass
CVE-2025-27522 unknown 1y ago Apache InLong: JDBC Vulnerability during verification processing
CVE-2025-48382 unknown 1y ago Fess has Insecure Temporary File Permissions
CVE-2025-4632 unknown 1.5 KEV 1y ago Samsung MagicINFO 9 Server contains a path traversal vulnerability that allows an attacker to write arbitrary file as system authority.
CVE-2025-4949 unknown debian debian sles 1y ago Eclipse JGit XML External Entity (XXE) Vulnerability
CVE-2025-48063 unknown 1y ago XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
CVE-2025-41232 unknown 1y ago Spring Security authorization bypass for method security annotations on private methods
CVE-2025-4428 unknown 2.5 KEVEXP 1y ago Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. T…
CVE-2025-4427 unknown 2.5 KEVEXP 1y ago Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted…
CVE-2025-27920 unknown 1.5 KEV 1y ago Srimax Output Messenger contains a directory traversal vulnerability that allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or …
CVE-2024-27443 unknown 1.5 KEV 1y ago Zimbra Collaboration contains a cross-site scripting (XSS) vulnerability in the CalendarInvite feature of the Zimbra webmail classic user interface. An attacker can exploit this vulnerability via an …
CVE-2024-11182 unknown 1.5 KEV 1y ago MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.
CVE-2023-38950 unknown 1.5 KEV 1y ago ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.
CVE-2025-22233 unknown debian debian 1y ago Spring Framework DataBinder Case Sensitive Match Exception
CVE-2025-1975 unknown sles 1y ago Ollama Server Vulnerable to Denial of Service (DoS) Attack
CVE-2025-47783 unknown 1y ago label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.
CVE-2025-47279 unknown FIX debian debian 1y ago Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server …
CVE-2025-42999 unknown 1.5 KEV 1y ago SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host s…
CVE-2024-12987 unknown 1.5 KEV 1y ago DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web ma…
CVE-2025-47889 unknown 1y ago Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials
CVE-2025-47888 unknown 1y ago Jenkins DingTalk Plugin Unconditionally Disables SSL/TLS Certificate and Hostname Validation
CVE-2025-47887 unknown 1y ago Jenkins Cadence vManager Plugin is Missing Permission Checks
CVE-2025-47886 unknown 1y ago Jenkins Cadence vManager Plugin Vulnerable to Cross-Site Request Forgery
CVE-2025-47885 unknown 1y ago Jenkins Health Advisor by CloudBees Plugin Vulnerable to Cross-Site Scripting
CVE-2025-47884 unknown 1y ago Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens
CVE-2025-4641 unknown 1y ago BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference
CVE-2025-26864 unknown 1y ago Apache IoTDB Discloses Sensitive Information via Log Files
CVE-2025-26795 unknown 1y ago Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files
CVE-2024-24780 unknown 1y ago Apache IoTDB Vulnerable to Remote Code Execution
CVE-2025-32756 unknown 1.5 KEV 1y ago Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted …
CVE-2025-32709 unknown 1.5 KEV 1y ago Microsoft Windows Ancillary Function Driver for WinSock contains a use-after-free vulnerability that allows an authorized attacker to escalate privileges to administrator.
CVE-2025-32706 unknown 1.5 KEV 1y ago Microsoft Windows Common Log File System (CLFS) Driver contains a heap-based buffer overflow vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2025-32701 unknown 1.5 KEV 1y ago Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2025-30400 unknown 1.5 KEV 1y ago Microsoft Windows DWM Core Library contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2025-30397 unknown 2.5 KEVEXP 1y ago Microsoft Windows Scripting Engine contains a type confusion vulnerability that allows an unauthorized attacker to execute code over a network via a specially crafted URL.
CVE-2025-47729 unknown 1.5 KEV 1y ago TeleMessage TM SGNL contains a hidden functionality vulnerability in which the archiving backend holds cleartext copies of messages from TM SGNL application users.
CVE-2025-46392 unknown FIX debian debian 1y ago Apache Commons Configuration Uncontrolled Resource Consumption
CVE-2025-47737 unknown 1y ago Unsound issue in Trailer
CVE-2025-1948 unknown FIX debian debian 1y ago Eclipse Jetty HTTP/2 client can force the server to allocate a humongous byte buffer that may lead to OoM and subsequently the JVM to exit
CVE-2024-13009 unknown FIX slesdebian debian 1y ago **UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request
CVE-2025-44021 unknown FIX debian debian 1y ago OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). A malicious project assigned as a node owner can pro…
CVE-2025-35939 unknown 1.5 KEV 1y ago Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a…
CVE-2025-46827 unknown 1y ago Graylog Allows Session Takeover via Insufficient HTML Sanitization
CVE-2025-27533 unknown 1.0 EXPFIX debian debian 1y ago Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation
CVE-2025-46551 unknown 1y ago JRuby-OpenSSL has hostname verification disabled by default
CVE-2024-6047 unknown 1.5 KEV 1y ago Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be…
CVE-2024-11120 unknown 1.5 KEV 1y ago Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be…
CVE-2025-2901 unknown 1y ago HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store
CVE-2025-4388 unknown 1y ago Liferay Portal Reflected XSS in marketplace-app-manager-web
CVE-2025-46762 unknown 1y ago Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
CVE-2025-45616 unknown 1y ago BRCC Incorrect Access Control vulnerability
CVE-2025-29573 unknown 1y ago Mezzanine CMS Cross-Site Scripting (XSS) vulnerability
CVE-2025-2905 unknown 1y ago WSO2 API Manager XML External Entity (XXE) vulnerability
CVE-2025-34028 unknown 1.5 KEV 1y ago Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code.
CVE-2024-52979 unknown 1y ago Elasticsearch Uncontrolled Resource Consumption Vulnerability
CVE-2023-44221 unknown 1.5 KEV 1y ago SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbi…
CVE-2025-3910 unknown 1y ago Keycloak vulnerable to two factor authentication bypass
CVE-2025-3501 unknown 1y ago Keycloak hostname verification
CVE-2025-46558 unknown 1y ago org.xwiki.contrib.markdown:syntax-markdown-commonmark12 vulnerable to XSS via Markdown content
CVE-2025-46557 unknown 1y ago Any user with view access to the XWiki space can change the authenticator
CVE-2025-46554 unknown 1y ago XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
CVE-2025-32974 unknown 1y ago org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type
CVE-2025-32973 unknown 1y ago org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
CVE-2025-32972 unknown 1y ago The lesscss script service allows cache clearing without programming right
CVE-2025-32971 unknown 1y ago Solr script service doesn't take dropped programming right into account
CVE-2025-32970 unknown 1y ago org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
CVE-2025-31324 unknown 1.5 KEV 1y ago SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
CVE-2025-22235 unknown 1y ago Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
CVE-2025-42599 unknown 1.5 KEV 1y ago Qualitia Active! Mail contains a stack-based buffer overflow vulnerability that allows a remote, unauthenticated attacker to execute arbitrary or trigger a denial-of-service via a specially crafted r…
CVE-2025-3928 unknown 1.5 KEV 1y ago Commvault Web Server contains an unspecified vulnerability that allows a remote, authenticated attacker to create and execute webshells.
CVE-2025-1976 unknown 1.5 KEV 1y ago Broadcom Brocade Fabric OS contains a code injection vulnerability that allows a local user with administrative privileges to execute arbitrary code with full root privileges.
CVE-2025-3986 unknown 1y ago Apereo CAS has inefficient regular expression complexity
CVE-2025-3985 unknown 1y ago Apereo CAS has inefficient regular expression complexity
CVE-2025-3984 unknown 1y ago Apereo CAS code injection vulnerability
CVE-2025-32432 unknown 2.5 KEVEXP 1y ago Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
CVE-2025-27820 unknown FIX debian debian sles 1y ago Apache HttpClient disables domain checks
CVE-2025-32969 unknown 1y ago org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
CVE-2025-32968 unknown 1y ago org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
CVE-2025-32961 unknown 1y ago XSS in the /download Endpoint of the JPA Web API
CVE-2025-32960 unknown 1y ago XSS in the /files Endpoint of the Generic REST API
CVE-2025-32959 unknown 1y ago Cuba has a DoS in the File Storage
CVE-2025-32952 unknown 1y ago io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage
CVE-2025-32951 unknown 1y ago io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API
CVE-2025-24016 unknown 2.5 KEVEXP 1y ago Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.
CVE-2025-32950 unknown 1y ago io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage
CVE-2025-29287 unknown 1y ago MCMS allows arbitrary file uploads in the ueditor component
CVE-2024-42699 unknown 1y ago OpenCMS Cross-Site Scripting vulnerability
CVE-2024-41446 unknown 1y ago OpenCMS cross-site scripting (XSS) vulnerability
CVE-2025-43973 unknown FIX debian debian 1y ago An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.