Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,270
Quick preset (or use dates below)
Clear Filters
Showing 15,041 - 15,059 of 15,059 CVEs
CVE-2025-67629 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS.This issue affects Basticom Framework: from n/a through <= 1.5.2.

Published: Dec 24, 2025
Source: NVD
CVE-2025-67628 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.

Published: Dec 24, 2025
Source: NVD
CVE-2025-67627 MEDIUM - 5.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS.This issue affects Draft Notify: from n/a through <= 1.5.

Published: Dec 24, 2025
Source: NVD
CVE-2023-40679 MEDIUM - 6.5

Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3.

Published: Dec 24, 2025
Source: NVD
CVE-2023-32120 MEDIUM - 5.9

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1.

Published: Dec 24, 2025
Source: NVD
CVE-2023-28619 MEDIUM - 4.3

Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8.

Published: Dec 24, 2025
Source: NVD
CVE-2025-64641 MEDIUM - 4.1

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted...

Vendor: mattermost
Product: mattermost_server
Published: Dec 24, 2025
Source: NVD
CVE-2025-13767 MEDIUM - 4.3

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content ...

Vendor: mattermost
Product: mattermost_server
Published: Dec 24, 2025
Source: NVD
CVE-2025-13407 MEDIUM - 6.8

The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload pa...

Published: Dec 24, 2025
Source: NVD
CVE-2024-58335 MEDIUM - 5.0

OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.

Published: Dec 24, 2025
Source: NVD
CVE-2025-15052 MEDIUM - 5.4

A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit i...

Vendor: fabian
Product: student_information_system
Published: Dec 24, 2025
Source: NVD
CVE-2025-66407 MEDIUM - 5.0

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not...

Vendor: pip
Product: Weblate
Published: Dec 16, 2025
Source: NVD
CVE-2025-64183 MEDIUM - 7.5

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, there is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp. ...

Vendor: pip
Product: OpenEXR
Published: Nov 10, 2025
Source: NVD
CVE-2025-64182 MEDIUM - 7.8

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.2.0 through 3.2.4, 3.3.0 through 3.3.5, and 3.4.0 through 3.4.2, a memory safety bug in the legacy OpenEXR Python adapter (the deprecated Ope...

Vendor: pip
Product: OpenEXR
Published: Nov 10, 2025
Source: NVD
CVE-2025-11000 MEDIUM - 4.4

A vulnerability was determined in Open Babel up to 3.1.1. This affects the function PQSFormat::ReadMolecule of the file /src/formats/PQSformat.cpp. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utili...

Vendor: pip
Product: openbabel
Published: Sep 26, 2025
Source: NVD
CVE-2025-10999 MEDIUM - 5.5

A vulnerability was found in Open Babel up to 3.1.1. The impacted element is the function CacaoFormat::SetHilderbrandt of the file /src/formats/cacaoformat.cpp. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been made public and c...

Vendor: pip
Product: openbabel
Published: Sep 26, 2025
Source: NVD

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, low privileged users can upload HTML files which contain JavaScript code via the `/api/v1/files/` backend endpoint. This endpoint returns a file id, which can be used to open th...

Vendor: pip
Product: open-webui
Published: May 05, 2025
Source: NVD
CVE-2024-37155 MEDIUM - 6.5

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed character...

Vendor: pip
Product: pycti
Published: Nov 18, 2024
Source: NVD
CVE-2023-1289 MEDIUM - 5.5

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a d...

Vendor: nuget
Product: Magick.NET-Q16-AnyCPU
Published: Mar 23, 2023
Source: NVD