Total CVEs

142,750

Critical Severity

4,026

High Severity

14,425

Last 7 Days

1,215
Quick preset (or use dates below)
Clear Filters
Showing 14,741 - 14,760 of 14,834 CVEs
CVE-2025-68945 MEDIUM - 5.3

In Gitea before 1.21.2, an anonymous user can visit a private user's project.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68944 MEDIUM - 5.3

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68943 MEDIUM - 5.3

Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68942 MEDIUM - 5.4

Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68941 MEDIUM - 5.3

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68940 MEDIUM - 5.3

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-68939 MEDIUM - 5.3

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-15098 MEDIUM - 6.3

A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may ...

Published: Dec 26, 2025
Source: NVD
CVE-2025-68938 MEDIUM - 5.3

Gitea before 1.25.2 mishandles authorization for deletion of releases.

Vendor: gitea
Product: gitea
Published: Dec 26, 2025
Source: NVD
CVE-2025-15094 MEDIUM - 6.1

A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lea...

Vendor: sunkaifei
Product: flycms
Published: Dec 26, 2025
Source: NVD
CVE-2025-15093 MEDIUM - 6.1

A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirect...

Vendor: sunkaifei
Product: flycms
Published: Dec 26, 2025
Source: NVD
CVE-2025-14913 MEDIUM - 5.3

The Frontend Post Submission Manager Lite โ€“ Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible fo...

Published: Dec 26, 2025
Source: NVD
CVE-2025-15088 MEDIUM - 6.3

A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exp...

Published: Dec 25, 2025
Source: NVD
CVE-2025-15087 MEDIUM - 4.3

A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization...

Vendor: youlai
Product: youlai-mall
Published: Dec 25, 2025
Source: NVD
CVE-2025-15086 MEDIUM - 4.3

A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remot...

Vendor: youlai
Product: youlai-mall
Published: Dec 25, 2025
Source: NVD
CVE-2025-68936 MEDIUM - 6.1

ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.

Vendor: onlyoffice
Product: document_server
Published: Dec 25, 2025
Source: NVD
CVE-2025-68935 MEDIUM - 6.1

ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.

Vendor: onlyoffice
Product: document_server
Published: Dec 25, 2025
Source: NVD
CVE-2025-15083 MEDIUM - 4.6

A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of t...

Vendor: gztozed
Product: zlt_m30s_firmware
Published: Dec 25, 2025
Source: NVD
CVE-2025-15081 MEDIUM - 6.3

A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. ...

Published: Dec 25, 2025
Source: NVD
CVE-2025-66443 MEDIUM - 5.3

Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service.

Vendor: pexip
Product: pexip_infinity
Published: Dec 25, 2025
Source: NVD