Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
18,100 matching · page 261/362Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2025-36062(opens NVD record) | Medium | 5.9 | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could be vulnerable to information exposure due to the use of unencrypted network traffic. | Jul 21, 2025 |
| CVE-2025-36057(opens NVD record) | Medium | 5.2 | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 is vulnerable to authentication bypass by using the Local Authentication Framework library which is not needed as biometric authentication is not used in the application. | Jul 21, 2025 |
| CVE-2025-44654(opens NVD record) | Critical | 9.8 | In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | Jul 21, 2025 |
| CVE-2025-36107(opens NVD record) | Medium | 5.9 | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to obtain sensitive information due to the cleartext transmission of data. | Jul 21, 2025 |
| CVE-2025-44653(opens NVD record) | High | 7.5 | In H3C GR2200 MiniGR1A0V100R016, the USERLIMIT_GLOBAL option is set to 0 in the /etc/bftpd.conf. This can cause DoS attacks when unlimited users are connected. | Jul 21, 2025 |
| CVE-2025-44649(opens NVD record) | High | 7.5 | In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters. | Jul 21, 2025 |
| CVE-2025-36603(opens NVD record) | Medium | 4.2 | Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | Jul 21, 2025 |
| CVE-2025-32744(opens NVD record) | Medium | 6.6 | Dell AppSync, version(s) 4.6.0.0, contains an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote execution. | Jul 21, 2025 |
| CVE-2025-30477(opens NVD record) | Medium | 4.4 | Dell PowerScale OneFS, versions prior to 9.11.0.0, contains a use of a broken or risky cryptographic algorithm vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | Jul 21, 2025 |
| CVE-2025-44657(opens NVD record) | Low | 3.9 | In Linksys EA6350 V2.1.2, the chroot_local_user option is enabled in the dynamically generated vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | Jul 21, 2025 |
| CVE-2025-44655(opens NVD record) | Critical | 9.8 | In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | Jul 21, 2025 |
| CVE-2025-44651(opens NVD record) | High | 7.5 | In TRENDnet TPL-430AP FW1.0, the USERLIMIT_GLOBAL option is set to 0 in the bftpd-related configuration file. This can cause DoS attacks when unlimited users are connected. | Jul 21, 2025 |
| CVE-2025-44647(opens NVD record) | High | 7.3 | In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to conduct offline attacks on the openly transmitted hash of the PSK. | Jul 21, 2025 |
| CVE-2025-46123(opens NVD record) | High | 7.2 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller. | Jul 21, 2025 |
| CVE-2025-46122(opens NVD record) | Critical | 9.1 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root. | Jul 21, 2025 |
| CVE-2025-46121(opens NVD record) | Critical | 9.8 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller. | Jul 21, 2025 |
| CVE-2025-46120(opens NVD record) | Critical | 9.8 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller. | Jul 21, 2025 |
| CVE-2025-46119(opens NVD record) | Medium | 6.3 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint `/admin/_cmdstat.jsp` discloses the administrator password in a trivially reversible obfuscated form. The same obfuscation method persists in configuration prior to 200.18.7.1.302, allowing anyone who obtains the system configuration to recover the plaintext credentials. | Jul 21, 2025 |
| CVE-2025-46118(opens NVD record) | Medium | 5.3 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, enabling a remote attacker to upload or retrieve arbitrary files from writable firmware directories and thereby expose sensitive information or compromise the controller. | Jul 21, 2025 |
| CVE-2025-46117(opens NVD record) | Critical | 9.1 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script `.ap_debug.sh` invoked from the restricted CLI does not properly sanitize its input, allowing an authenticated attacker to execute arbitrary commands as root on the controller or specified target. | Jul 21, 2025 |
| CVE-2025-46116(opens NVD record) | High | 8.8 | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where an authenticated attacker can disable the passphrase requirement for a hidden CLI command `!v54!` via a management API call and then invoke it to escape the restricted shell and obtain a root shell on the controller. | Jul 21, 2025 |
| CVE-2025-7624(opens NVD record) | Critical | 9.8 | An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA. | Jul 21, 2025 |
| CVE-2025-7382(opens NVD record) | High | 8.8 | A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled. | Jul 21, 2025 |
| CVE-2025-6704(opens NVD record) | Critical | 9.8 | An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode. | Jul 21, 2025 |
| CVE-2025-6235(opens NVD record) | Medium | 6.1 | In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context. | Jul 21, 2025 |
| CVE-2024-13974(opens NVD record) | High | 8.1 | A business logic vulnerability in the Up2Date component of Sophos Firewall older than version 21.0 MR1 (20.0.1) can lead to attackers controlling the firewall’s DNS environment to achieve remote code execution. | Jul 21, 2025 |
| CVE-2024-13973(opens NVD record) | Medium | 6.8 | A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution. | Jul 21, 2025 |
| CVE-2025-24938(opens NVD record) | High | 8.4 | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. An attacker with high privileged access (administrator) to the application has the potential execute commands on the operating system under the context of the webserver. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. Has the potential to inject command while creating a new User from User Management. | Jul 21, 2025 |
| CVE-2025-24937(opens NVD record) | Critical | 9.0 | File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web application and the container it is running on. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. The web application allows arbitrary files to be included in a file that was downloadable and executable by the web server. | Jul 21, 2025 |
| CVE-2025-24936(opens NVD record) | Critical | 9.0 | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. An attacker with low privileged access to the application has the potential to execute commands on the operating system under the context of the webserver. | Jul 21, 2025 |
| CVE-2025-53771(opens NVD record) | Medium | 6.5 | Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | Jul 20, 2025 |
| CVE-2025-53770(opens NVD record) | Critical | 9.8 | Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. | Jul 20, 2025 |
| CVE-2025-54313(opens NVD record) | High | 7.5 | eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | Jul 19, 2025 |
| CVE-2025-50583(opens NVD record) | Medium | 4.8 | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Student module. | Jul 18, 2025 |
| CVE-2025-50582(opens NVD record) | Medium | 4.8 | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Course module. | Jul 18, 2025 |
| CVE-2025-50581(opens NVD record) | Medium | 4.8 | MRCMS v3.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/group/save.do. | Jul 18, 2025 |
| CVE-2025-50584(opens NVD record) | Medium | 4.8 | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module. | Jul 18, 2025 |
| CVE-2025-52169(opens NVD record) | High | 7.1 | agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. | Jul 18, 2025 |
| CVE-2025-52163(opens NVD record) | Medium | 6.5 | A Server-Side Request Forgery (SSRF) in the component TunnelServlet of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows attackers to forcefully initiate connections to arbitrary internal and external resources via a crafted request. This can lead to sensitive data exposure. | Jul 18, 2025 |
| CVE-2025-50585(opens NVD record) | High | 8.8 | StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl. | Jul 18, 2025 |
| CVE-2025-33014(opens NVD record) | Medium | 5.4 | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims’ web browser. | Jul 18, 2025 |
| CVE-2025-52168(opens NVD record) | Medium | 6.5 | Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system. | Jul 18, 2025 |
| CVE-2025-52166(opens NVD record) | Medium | 6.5 | Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information. | Jul 18, 2025 |
| CVE-2025-52164(opens NVD record) | High | 8.2 | Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext. | Jul 18, 2025 |
| CVE-2025-53762(opens NVD record) | High | 8.7 | Permissive list of allowed inputs in Microsoft Purview allows an authorized attacker to elevate privileges over a network. | Jul 18, 2025 |
| CVE-2025-52162(opens NVD record) | Medium | 6.5 | agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input. | Jul 18, 2025 |
| CVE-2025-50586(opens NVD record) | Medium | 6.5 | StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF). | Jul 18, 2025 |
| CVE-2025-49747(opens NVD record) | Critical | 9.9 | Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | Jul 18, 2025 |
| CVE-2025-49746(opens NVD record) | Critical | 9.9 | Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | Jul 18, 2025 |
| CVE-2025-47995(opens NVD record) | Medium | 6.5 | Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | Jul 18, 2025 |