CVE / JVNDB Latest 100

itsourcecode Baptism Information Management System listbaptism.php sql injection

itsourcecode Baptism Information Management System rptbaptismal.php sql injection

PHPGurukul Beauty Parlour Management System view-enquiry.php sql injection

Regular Expression Denial of Service (ReDoS) in huggingface/transformers

PHPGurukul Beauty Parlour Management System readenq.php sql injection

D-Link DIR-823x diag_ping command injection

SourceCodester Food Ordering Management System ticket-message.php sql injection

Korzh EasyQuery Query Builder UI fetch sql injection

IBM QRadar SIEM information disclosure

IBM PowerVM Hypervisor denial of service

Unauth Admin Reset Password on AC Smart II

fcba_zzm ics-park Smart Park Management System FileUploadUtils.java unrestricted upload

Magicblack MacCMS API server-side request forgery

SourceCodester Pet Grooming Management Software edit_role.php sql injection

Magicblack MacCMS Scheduled Task col_url server-side request forgery

fcba_zzm ics-park Smart Park Management System Scheduled Task JobController.java code injection

miurla morphic HTTP Status Code 3xx advanced-search fetchHtml server-side request forgery

Mercury KM08-708H GiGA WiFi Wave2 HTTP Header stack-based overflow

CRMEB OutAccountServices.php testOutUrl server-side request forgery

In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),

CRMEB UserAddressServices.php editAddress improper authorization

CRMEB Administrator Password SystemAdminServices.php save improper authorization

Selleo Mentingo Create New Course Basic Settings enroll-course cross site scripting

codesiddhant Jasmin Ransomware handshake.php sql injection

Yida ECMS Consulting Enterprise Management System POST Request login.do cross site scripting

Mercury KM08-708H GiGA WiFi Wave2 mcr_setSysAdm sub_450B2C buffer overflow

Kernel: max page sharing of kernel samepage merging (ksm) may cause memory deduplication

yangzongzhuan RuoYi Role cancelAll improper authorization

Shenzhen Sixun Business Management System OperatorStop improper authorization

Portabilis i-Educar educar_turma_tipo_cad.php cross site scripting

Portabilis i-Educar educar_modulo_cad.php cross site scripting

eCharge Hardy Barth Salia PLCC api.php unrestricted upload

MiczFlor RPi-Jukebox-RFID userScripts.php cross site scripting

MiczFlor RPi-Jukebox-RFID cardRegisterNew.php cross site scripting

MiczFlor RPi-Jukebox-RFID manageFilesFolders.php cross site scripting

Verkehrsauskunft Österreich SmartRide/cleVVVer/BusBahnBim/Salzburg Verkehr AndroidManifest.xml improper export of android application components

MiczFlor RPi-Jukebox-RFID cardEdit.php cross site scripting

MiczFlor RPi-Jukebox-RFID inc.setWlanIpMail.php cross site scripting

Wavlink WL-WN578W2 wireless.cgi sub_404DBC os command injection

Golang-fips/openssl: memory leaks in code encrypting and decrypting rsa payloads

Wavlink WL-WN578W2 wireless.cgi sub_404850 os command injection

Cortex XDR Microsoft 365 Defender Pack: Cleartext Exposure of Credentials

IBM Fusion insecure default configuration

Agentic AI and Visual Studio Code Remote Code Execution Vulnerability

IBM Security Verify Information Queue code execution

Out-of-bounds write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code.

Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.

Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0.

Secondary-order SQL injection in Zabbix Server when deleting an autoregistered host

User-ID Credential Agent: Cleartext Exposure of Service Account password

WhatCD Gazelle Commit Message change_log.php cross site scripting

cdevroe unmark info.php cross site scripting

cdevroe unmark Marks.php cross site scripting

cdevroe unmark searchform.php cross site scripting

cdevroe unmark Marks.php server-side request forgery

MiczFlor RPi-Jukebox-RFID playsinglefile.php os command injection

The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion

MiczFlor RPi-Jukebox-RFID shuffle.php os command injection

MiczFlor RPi-Jukebox-RFID single.php os command injection

Wavlink WL-WN578W2 login.cgi sub_401BA4 command injection

A stack overflow in the FTP service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

An issue in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to arbitrarily overwrite files via supplying a crafted PUT request.

Multiple stored cross-site scripting (XSS) vulnerabilities in Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the wifi_sta_ssid or wifi_ap_ssid parameters.

Incorrect access control in the web service of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to download car information without authentication.

Keycloak: potential bypass of brute force protection

Keycloak: exposure of sensitive information in pushed authorization requests (par) kc_restart cookie

Keycloak: leak of configured ldap bind credentials through the keycloak admin console

Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter.Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect parameter.Open redirect vulnerability in the Site Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect parameter.

Incorrect access control in the FTP protocol of Audi UTR 2.0 Universal Traffic Recorder 2.0 allows attackers to authenticate into the service using any combination of username and password.

Postgresql: merge fails to enforce update or select row security policies

Ghostscript: incomplete fix for cve-2020-16305

Keycloak: log injection during webauthn authentication or registration

Golang-fips: golang fips zeroed buffer

Buildah: podman: improper input validation in bind-propagation option of dockerfile run --mount instruction

Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library

Cri-o: checkpoint restore can be triggered from different namespaces

Keycloak: vulnerable redirect uri validation results in open redirec

Containers/aardvark-dns: tcp query handling flaw in aardvark-dns leading to denial of service

389-ds-base: server crash while modifying `userpassword` using malformed input (incomplete fix for cve-2024-2199)

Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters

Gtk3: gtk2: library injection from cwd

Poppler: pdfinfo: crash in broken documents when using -dests parameter

389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request

389-ds-base: malformed userpassword hash may cause denial of service

Ruby: openssl: ruby marvin attack

Rust-openssl: timing based side-channel can lead to a bleichenbacher style attack

Podman: kernel: containers in shared ipc namespace are vulnerable to denial of service attack

Openjpeg: heap buffer overflow in bin/common/color.c

Freeipa: administrative user data leaked through systemd journal

Wildfly: wildfly vulnerable to cross-site scripting (xss)

389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)

Freeipa: specially crafted http requests potentially lead to denial of service

Openjpeg: resource exhaustion will occur in the opj_t1_decode_cblks function in the tcd.c

Openjpeg: denail of service via crafted image file

Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659

Perl: perl for windows binary hijacking vulnerability

Perl: write past buffer end via illegal user-defined unicode property

389-ds-base: malformed userpassword may cause crash at do_modify in slapd/modify.c

Keycloak: open redirect via "form_post.jwt" jarm response mode

Ipa: invalid csrf protection