Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,242
Quick preset (or use dates below)
Clear Filters
Showing 14,721 - 14,740 of 14,834 CVEs
CVE-2025-68972 MEDIUM - 4.7

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is ...

Vendor: gnupg
Product: gnupg
Published: Dec 27, 2025
Source: NVD
CVE-2025-15106 MEDIUM - 4.3

A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit h...

Vendor: maxun
Product: maxun
Published: Dec 27, 2025
Source: NVD
CVE-2025-15105 MEDIUM - 5.9

A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack ...

Vendor: maxun
Product: maxun
Published: Dec 27, 2025
Source: NVD
CVE-2025-68927 MEDIUM - 6.1

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting...

Vendor: libredesk
Product: libredesk
Published: Dec 27, 2025
Source: NVD
CVE-2025-68697 MEDIUM - 5.4

n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. Th...

Vendor: n8n
Product: n8n
Published: Dec 26, 2025
Source: NVD
CVE-2025-61914 MEDIUM - 5.4

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the ...

Vendor: n8n
Product: n8n
Published: Dec 26, 2025
Source: NVD
CVE-2025-66737 MEDIUM - 4.3

Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component.

Vendor: yealink
Product: sip-t21\(p\)e2_firmware
Published: Dec 26, 2025
Source: NVD
CVE-2024-42718 MEDIUM - 6.5

A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter.

Vendor: croogo
Product: croogo
Published: Dec 26, 2025
Source: NVD
CVE-2025-67013 MEDIUM - 6.5

The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints.

Vendor: etlsystems
Product: d0116s1ula-22454_firmware
Published: Dec 26, 2025
Source: NVD
CVE-2024-29720 MEDIUM - 5.5

An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function.

Vendor: terrainformatica
Product: sciter
Published: Dec 26, 2025
Source: NVD
CVE-2025-67349 MEDIUM - 6.1

A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags.

Vendor: fluentcms
Product: fluentcms
Published: Dec 26, 2025
Source: NVD
CVE-2025-66947 MEDIUM - 6.5

SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially wi...

Vendor: krishanmurariji
Product: student_management_system
Published: Dec 26, 2025
Source: NVD
CVE-2025-65885 MEDIUM - 5.1

An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2),...

Vendor: symwld
Product: delight_custom_firmware
Published: Dec 26, 2025
Source: NVD
CVE-2025-36230 MEDIUM - 5.4

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.

Vendor: ibm
Product: aspera_faspex
Published: Dec 26, 2025
Source: NVD
CVE-2025-36229 MEDIUM - 4.3

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.

Vendor: ibm
Product: aspera_faspex
Published: Dec 26, 2025
Source: NVD
CVE-2025-14687 MEDIUM - 6.5

IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.

Vendor: ibm
Product: db2_intelligence_center
Published: Dec 26, 2025
Source: NVD
CVE-2025-59888 MEDIUM - 6.7

Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center.

Published: Dec 26, 2025
Source: NVD
CVE-2025-8075 MEDIUM - 5.4

Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The ...

Vendor: hanwhavision
Product: xno-8082r_firmware
Published: Dec 26, 2025
Source: NVD
CVE-2025-68946 MEDIUM - 5.4

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-52599 MEDIUM - 6.5

Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer...

Vendor: hanwhavision
Product: xnv-l6080r_firmware
Published: Dec 26, 2025
Source: NVD