This vulnerability allows for improper authorization in the ruoyi-ai system, specifically in the SysModelController.java file, which can be exploited remotely.
This vulnerability is a problem because it enables unauthorized access to the system, potentially leading to sensitive data exposure, system compromise, or other malicious activities, and since the exploit has been publicly disclosed, attackers may actively try to exploit it.
The CVE-2025-3198 vulnerability causes a memory leak in the objdump component of GNU Binutils 2.43 and 2.44, specifically in the display_info function of the bucomm.c file, when manipulated locally.
This vulnerability is a problem because it can be exploited by local attackers to potentially cause system instability, information disclosure, or even execute malicious code, taking advantage of the publicly disclosed exploit.
The CVE-2025-3196 vulnerability is a stack-based buffer overflow in the Open Asset Import Library Assimp, specifically in the MD2Importer function, which occurs when a maliciously crafted file is processed, allowing an attacker to potentially execute arbitrary code.
This vulnerability is a problem because it can be exploited by an attacker to gain control over a system, allowing them to execute malicious code, steal sensitive information, or cause damage to the system, and since the exploit has been publicly disclosed, it is likely that attackers will try to take advantage of it.
The CVE-2025-3195 vulnerability allows an attacker to inject malicious SQL code into the Online Blood Bank Management System 1.0 by manipulating the "Search" argument in the /bbms.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive information in the blood bank management system, which could lead to data breaches, tampering, or other malicious activities.
The HMI ViewJet C-more series has a weak encoding for passwords, allowing a local authenticated attacker to potentially obtain authentication information if the vulnerability is exploited.
This vulnerability is a problem because it could give an attacker access to sensitive authentication information, which could be used to gain unauthorized access to the system or data, compromising the security and integrity of the system.
This vulnerability allows a remote attacker to use certain HMI products (ViewJet C-more series and HMI GC-A2 series) as a middleman to launch an FTP bounce attack, which can redirect malicious traffic to other systems.
This vulnerability is a problem because it enables attackers to disguise the origin of their malicious traffic, making it difficult to detect and block the attack, and potentially allowing them to access sensitive data or systems.
This vulnerability allows a remote unauthenticated attacker to allocate unlimited resources on HMI ViewJet C-more series and HMI GC-A2 series devices, potentially causing a denial-of-service (DoS) condition.
This vulnerability is a problem because it enables an attacker to overwhelm the device with requests, making it unavailable for legitimate use and potentially disrupting critical operations.
The CVE-2025-24310 vulnerability allows a remote unauthenticated attacker to trick users of the HMI ViewJet C-more series into performing unintended operations on the product's web pages by improperly restricting rendered UI layers or frames.
This vulnerability is a problem because it enables attackers to deceive users into taking actions they didn't intend to, potentially leading to unauthorized changes, data breaches, or disruption of critical systems.
This vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul e-Diary Management System by manipulating the "Category" argument in the /add-notes.php file, potentially giving them unauthorized access to sensitive data.
This SQL injection vulnerability is a problem because it can be exploited remotely, allowing attackers to access, modify, or delete sensitive data, potentially leading to data breaches, unauthorized data modification, or disruption of service.
The CVE-2025-3187 vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul e-Diary Management System 1.0 through the "logindetail" argument in the /login.php file, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to unauthorized access, data theft, or system compromise, which can have severe consequences.
This vulnerability allows an attacker to execute code on a computer over a network by exploiting a "use after free" flaw in the Chromium-based Microsoft Edge browser, which occurs when the browser tries to access memory that has already been freed.
This vulnerability is a problem because it enables authorized attackers to remotely execute malicious code on a victim's computer, potentially leading to data theft, system compromise, or other harmful activities.
The CVE-2025-29796 vulnerability allows an attacker to misrepresent critical information on the user interface of Microsoft Edge for iOS, potentially tricking users into performing unintended actions, which can be done remotely over a network.
This vulnerability is a problem because it enables attackers to spoof information, which can lead to phishing attacks, unauthorized access to sensitive data, and other malicious activities, ultimately compromising the security and privacy of users' information.
This vulnerability allows an attacker to inject malicious code into web pages viewed in Microsoft Edge, potentially tricking users into divulging sensitive information or performing unintended actions.
This vulnerability is a problem because it enables attackers to spoof content, making it appear as if it comes from a trusted source, which can lead to phishing attacks, theft of personal data, or other malicious activities.
The CVE-2025-25000 vulnerability allows an attacker to execute code on a computer over a network by exploiting a 'type confusion' issue in Microsoft Edge (Chromium-based), where the browser incorrectly accesses a resource using an incompatible type.
This vulnerability is a problem because it enables unauthorized attackers to remotely execute malicious code on a victim's computer, potentially leading to data theft, system compromise, or other harmful activities.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System 1.0 by manipulating the "appid" argument in the /patient/invoice.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive patient data, which can lead to identity theft, financial loss, and other serious consequences. The fact that the exploit has been publicly disclosed increases the risk of attack.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System 1.0 by manipulating the "patientFirstName" argument in the /patient/patientupdateprofile.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to launch SQL injection attacks, which can lead to data breaches, unauthorized data modification, and potentially even complete system compromise, putting sensitive patient information at risk.
The CVE-2025-3184 vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System 1.0 by manipulating the "patientFirstName" argument in the /patient/profile.php file, potentially giving them unauthorized access to sensitive patient data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive patient information, which can lead to identity theft, data breaches, and other serious security issues.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System by manipulating the "patientFirstName" argument in the /patient/patientupdateprofile.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive patient data, which can lead to identity theft, data breaches, and other serious security issues.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System 1.0 by manipulating the "q" argument in the /patient/getschedule.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized data access, modification, or deletion, which can compromise patient confidentiality and the integrity of the appointment booking system.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System by manipulating the "scheduleDate" argument in the /patient/appointment.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive patient data, disrupt the appointment booking system, or even take control of the entire database, which can have serious consequences for patient privacy and the integrity of the system.
The CVE-2025-30370 vulnerability allows an attacker to inject shell commands into a user's system by creating a maliciously named Git repository. When a user opens this repository in JupyterLab and clicks "Git > Open Git Repository in Terminal", the injected command is executed without the user's permission.
This vulnerability is a problem because it enables an attacker to run arbitrary shell commands on a user's system, potentially leading to unauthorized access, data theft, or other malicious activities. This can occur even if the user is cautious and only interacts with the repository through the JupyterLab interface.
The HCL Traveler system generates detailed error messages that reveal sensitive information, including internal paths, file names, tokens, credentials, error codes, and stack traces, when errors or failures occur.
This vulnerability is a problem because it allows attackers to gain valuable insights into the system's architecture, which could be used to launch targeted attacks and potentially compromise the security of the system.
The HCL Traveler application on Windows has a vulnerability that causes it to reveal internal file paths, which can happen through error messages, debug logs, or responses to user requests.
This vulnerability is a problem because it allows attackers to gain valuable information about the internal structure of the application and the system it's running on, potentially leading to further exploitation and unauthorized access.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System by manipulating the "ID" argument in the /doctor/deleteschedule.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing direct access to the system, which can lead to data breaches, tampering, and other malicious activities.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System by manipulating the "ic" argument in the /doctor/deletepatient.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized data access, modification, or deletion, which can compromise patient confidentiality and the integrity of the appointment booking system.
This vulnerability allows an attacker to inject malicious SQL code into the Online Doctor Appointment Booking System by manipulating the "ID" argument in the /doctor/deleteappointment.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it enables remote attackers to exploit the system, potentially leading to unauthorized data access, modification, or deletion, which could compromise patient confidentiality and the integrity of the appointment booking system.
This vulnerability allows an attacker to send extremely large payloads to Snowplow Collector 3.x (before version 3.3.0), causing it to become unresponsive to other requests.
This vulnerability is a problem because it can lead to data loss, as the Collector will be unable to process new requests and collect data, potentially disrupting the entire data pipeline.
The CVE-2024-47217 vulnerability allows an attacker to render Iglu Server completely unresponsive by exploiting an authenticated endpoint, similar to CVE-2024-47214, affecting versions 0.13.0 and below.
This vulnerability is a problem because if Iglu Server becomes unresponsive, event processing in the pipeline will eventually come to a halt, potentially disrupting critical operations and services that rely on it.
The CVE-2024-47215 issue causes Snowbridge setups to send events with an invalid Google Tag Manager Server Side (GTM SS) preview header, resulting in these events being retried indefinitely when sent to the GTM SS server.
This vulnerability is a problem because it can significantly impact the performance of forwarding events to GTM SS, leading to increased latency and reduced throughput, which can hinder the effectiveness of data tracking and analysis.
The CVE-2024-47214 vulnerability allows a malicious payload to render Iglu Server completely unresponsive, similar to a previously discovered issue but with a different type of payload.
This vulnerability is a problem because if Iglu Server becomes unresponsive, it can halt event processing in the pipeline, potentially disrupting critical operations and services that rely on the server.
This vulnerability allows an attacker to send a maliciously crafted Snowplow event to the Enrich pipeline, causing it to crash and repeatedly attempt to restart, halting event processing.
This vulnerability is a problem because it can be used to disrupt the normal functioning of the Enrich pipeline, potentially leading to data loss or delays in event processing, which can have significant impacts on business operations and decision-making.
The CVE-2024-47212 vulnerability allows an attacker to send extremely large payloads to a specific API endpoint in Iglu Server version 0.13.0 and below, causing the server to become completely unresponsive.
This vulnerability is a problem because if the Iglu Server is rendered unresponsive, it can halt event processing in the pipeline, potentially disrupting critical operations and causing significant downtime.
This vulnerability allows attackers to inject malicious parameters into the JDBC URL of insightsoftware Hive JDBC, leading to JNDI injection and potentially resulting in remote code execution when the JDBC Driver connects to the database.
This vulnerability is a problem because it enables attackers to execute arbitrary code on the affected system, potentially allowing them to gain unauthorized access, steal sensitive data, or disrupt system operations.
This vulnerability in FastCMS 0.1.5 allows an attacker to use a hard-coded cryptographic key due to a flaw in the JWT Handler component, which can be exploited remotely.
This vulnerability is a problem because it enables attackers to potentially decrypt sensitive data or forge authentication tokens, compromising the security of the system, especially since the exploit has been made public and can be used by malicious actors.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the "u_id" argument in the /single_lawyer.php file, which can be done remotely.
This is a problem because SQL injection attacks can give an attacker unauthorized access to sensitive data, allowing them to modify, delete, or extract confidential information, potentially leading to data breaches, financial loss, and reputational damage.
This vulnerability in MinIO's authorization signature component allows an attacker to upload arbitrary objects to a bucket using any secret, given that they already have WRITE permissions on the bucket and prior knowledge of the access-key and bucket name.
This vulnerability is a problem because it enables unauthorized data uploads to a bucket, potentially leading to data corruption, overwrite, or exposure, even if the attacker doesn't have a valid access-key secret.
The CVE-2025-31485 vulnerability affects the API Platform Core system, specifically in its GraphQL functionality, where a grant on a property might be cached with different objects due to an issue in the ItemNormalizer method, potentially leading to unauthorized access or data exposure.
This vulnerability is a problem because it could allow sensitive data to be accessed or modified by unauthorized users, due to the incorrect caching of grants, which can compromise the security and integrity of the API and its associated data.
The CVE-2025-31481 vulnerability allows an attacker to bypass configured security on API operations by utilizing the Relay special node type in the API Platform Core system.
This vulnerability is a problem because it enables attackers to circumvent security measures, potentially leading to unauthorized access, data breaches, or other malicious activities, which can compromise the integrity and confidentiality of the system.
The CVE-2025-31161 vulnerability allows an attacker to bypass authentication and take over the crushadmin account in CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1, by exploiting a race condition in the AWS4-HMAC authorization method and manipulating the HTTP headers to authenticate as any known or guessable user.
This vulnerability is a problem because it enables an attacker to gain administrative access to the system, potentially leading to a full compromise of the system, data theft, and other malicious activities, with a severity score of 9.8, indicating a critical level of risk.
The generator-jhipster-entity-audit module has a vulnerability that allows an attacker to execute remote code if they can place malicious classes into the classpath and access certain REST endpoints, due to unsafe reflection when using Javers as the Entity Audit Framework.
This vulnerability is a problem because it can lead to unintended remote code execution, which can give an attacker full control over the affected system, allowing them to steal sensitive data, disrupt operations, or spread malware.
This vulnerability allows a local attacker to escalate privileges on the Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 device, version v3.2, by exploiting a weakness in the "tftp_image_check" function of the "rc" binary.
This vulnerability is a problem because it enables an attacker with local access to gain higher-level privileges, potentially allowing them to take control of the device, access sensitive information, or execute malicious actions.
The CVE-2025-29504 vulnerability allows a local attacker to gain higher privileges on a system running the student-manage software due to inadequate permission verification.
This vulnerability is a problem because it enables an attacker with local access to escalate their privileges, potentially allowing them to access sensitive data, modify system settings, or perform other malicious actions that could compromise the security and integrity of the system.
This vulnerability allows an attacker to overflow a buffer on the stack in the Tenda Ac15 router's webCgiGetUploadFile function, potentially enabling them to execute arbitrary code when processing HTTP request messages.
This vulnerability is a problem because it could allow an attacker to gain control of the affected router, potentially leading to unauthorized access, data theft, or disruption of network services.
This vulnerability allows a remote attacker to execute arbitrary code on a TOTOLINK x18 device running version 9.1.0cu.2024_B20220329, by exploiting a weakness in the cstecgi.cgi function.
This vulnerability is a problem because it enables an attacker to gain control over the device, potentially leading to unauthorized access, data theft, or disruption of the device's functionality, which can have serious consequences for the security and integrity of the network.
The CVE-2025-26818 vulnerability allows an attacker to inject commands into the Netwrix Password Secure system, potentially giving them unauthorized access to execute system commands.
This vulnerability is a problem because it could enable malicious actors to gain control over the system, allowing them to access sensitive data, disrupt operations, or install additional malware, ultimately compromising the security and integrity of the system.
The Netwrix Password Secure 9.2.0.32454 vulnerability allows an attacker to inject operating system commands, potentially enabling them to execute unauthorized actions on the system.
This vulnerability is a problem because it could give an attacker the ability to gain control of the system, access sensitive data, or disrupt normal operations, leading to potential data breaches or system compromise.
The CVE-2024-45198 vulnerability allows attackers to inject malicious parameters into the JDBC URL of insightsoftware Spark JDBC 2.6.21, leading to JNDI injection and potentially triggering remote code execution when the JDBC Driver connects to the database.
This vulnerability is a problem because it enables attackers to execute arbitrary code on a remote system, potentially allowing them to gain unauthorized access, steal sensitive data, or disrupt system operations.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the "first_Name" argument in the /save_user_edit_profile.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, which can lead to data breaches, tampering, and other malicious activities.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System through the /searchLawyer.php file by manipulating the "experience" argument, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, which could lead to data breaches, theft, or corruption.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the "lawyer_id" argument in the /save_booking.php file, potentially giving them unauthorized access to sensitive data.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to access and manipulate sensitive data without needing physical access to the system, which could lead to data breaches, theft, or corruption.
The XWiki JIRA extension has a vulnerability that allows any logged-in XWiki user to edit their user profile wiki page and use a JIRA macro to display the content of a local file on the XWiki server host by specifying a fake JIRA URL that returns malicious XML.
This vulnerability is a problem because it allows an attacker to access and display sensitive files on the server, potentially revealing confidential information or allowing further exploitation of the system.
The CVE-2025-31486 vulnerability allows an attacker to access the contents of arbitrary files on a server running Vite, a frontend tooling framework for JavaScript, by bypassing the server.fs.deny restriction using specific file extensions and headers.
This vulnerability is a problem because it enables unauthorized access to sensitive files on the server, potentially leading to data breaches or other security issues, especially if the exposed files contain confidential information.
The CVE-2025-29647 vulnerability allows an attacker to inject malicious SQL code into the admin_tempvideo.php component of SeaCMS version 13.3, potentially granting unauthorized access to sensitive database information.
This vulnerability is a problem because it enables hackers to extract, modify, or delete sensitive data, leading to a loss of data integrity, confidentiality, and potentially even system compromise.
This vulnerability allows an attacker to inject malicious SQL code into OpenEMR's database through specific files, including Pharmacy.class.php, C_Pharmacy.class.php, and controller.php, potentially giving them unauthorized access to sensitive data.
This SQL injection vulnerability is a problem because it can lead to unauthorized data access, modification, or deletion, compromising the confidentiality, integrity, and availability of sensitive healthcare information stored in the OpenEMR system.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the "unblock_id" argument in the /lawyer_booking.php file, which can be done remotely.
This is a problem because it enables attackers to access, modify, or delete sensitive data in the system's database, potentially leading to data breaches, unauthorized access, or disruption of services, which can have serious consequences for the affected organization.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the "unblock_id" argument in the /approve_lawyer.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to data breaches, unauthorized access, and other malicious activities.
This vulnerability allows an attacker to inject malicious SQL code into the Project Worlds Online Lawyer Management System 1.0 by manipulating the block_id or unblock_id arguments in the /admin_user.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access, modify, or extract sensitive data from the system's database, potentially leading to unauthorized access, data breaches, or disruption of services.
The CVE-2025-31483 vulnerability allows an attacker to bypass the Content Security Policy (CSP) of the media proxy in Miniflux, a feed reader, and execute cross-site scripting (XSS) when opening external images in a new tab or window.
This vulnerability is a problem because it enables attackers to inject malicious code into the feed reader, potentially allowing them to steal user data, take control of the user's session, or perform other malicious actions.
The CVE-2025-31127 vulnerability in Element X Android allows an entity controlling the element.json well-known file to access media encryption keys used for Element Call calls under certain conditions.
This vulnerability is a problem because it compromises the security and privacy of encrypted calls made through the Element X Android app, potentially allowing unauthorized access to sensitive information.
The CVE-2025-31126 vulnerability in Element X iOS allows an entity controlling the element.json well-known file to access media encryption keys used for Element Call calls under certain conditions, potentially compromising the security of these calls.
This vulnerability is a problem because it could allow unauthorized access to sensitive information, such as encrypted media, which could lead to eavesdropping or interception of private communications, undermining the confidentiality and security of Element Call users.
The CVE-2025-3169 vulnerability allows an attacker to upload files without restrictions to the Projeqtor application, specifically through the /tool/saveAttachment.php file, by manipulating the "attachmentFiles" argument. This can be done remotely.
This vulnerability is a problem because it enables attackers to upload malicious files, potentially including executable files, which could lead to further attacks or damage to the system. Although the vendor notes that the vulnerability can only be exploited if the attachment directory is not properly secured, it still poses a significant risk if the application is not installed correctly.
This vulnerability allows an attacker to inject malicious SQL code into the PHPGurukul Time Table Generator System 1.0 by manipulating the "editid" argument in the /admin/edit-class.php file, which can be done remotely.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data in the system's database, potentially leading to data breaches, unauthorized modifications, or even complete system compromise.
The CVE-2025-3167 vulnerability allows an attacker to remotely manipulate the "getuid" argument in the Tenda AC23 router's API interface, specifically in the /goform/VerAPIMant file, which can lead to a denial of service.
This vulnerability is a problem because it can be exploited remotely, allowing an attacker to disrupt the normal functioning of the router, potentially causing network outages and impacting the availability of internet services.
This vulnerability allows an attacker to overflow a buffer on the system's stack by manipulating the "target" argument in the "search_item" function of the Search Product Menu component in the Product Management System 1.0, potentially enabling them to execute arbitrary code.
This vulnerability is a problem because it could allow an attacker with local access to the system to gain control over it, potentially leading to data theft, system compromise, or other malicious activities, especially since the exploit has been publicly disclosed.
This vulnerability in JetBrains IntelliJ IDEA allows source code to be logged in the idea.log file, potentially exposing sensitive information, before version 2024.3 and 2024.2.4.
This is a problem because it could lead to unauthorized access to sensitive source code, potentially allowing attackers to exploit vulnerabilities or steal intellectual property.
The CVE-2025-31115 vulnerability is a bug in the XZ Utils data-compression library that can cause a crash when the multithreaded .xz decoder encounters invalid input, potentially leading to heap use after free and writing to an address based on the null pointer plus an offset.
This vulnerability is a problem because it can be exploited to cause a program to crash or potentially execute arbitrary code, which can lead to security breaches, data corruption, or other malicious activities, affecting applications and libraries that use the affected function.
The API Platform Core system, used for creating REST and GraphQL APIs, has a vulnerability that exposes exception messages in JSON error responses when the exceptions are not related to HTTP.
This vulnerability is a problem because it can potentially reveal sensitive information about the system, such as internal errors or debugging data, to unauthorized users through the error messages, which could be used to exploit other vulnerabilities.
The CVE-2025-3165 vulnerability allows an attacker to manipulate the 'ckpt_path/quant_ckpt_dir' argument in the 'torch.load' function of the 'chitu/chitu/backend.py' file, leading to deserialization of malicious data.
This vulnerability is a problem because it enables an attacker to execute malicious code or access sensitive data by exploiting the deserialization process, which can lead to a range of security issues, including data breaches, code execution, and system compromise.
This vulnerability allows an attacker to inject code into the H2 Database Connection Handler of Tencent Music Entertainment SuperSonic, specifically targeting the /api/semantic/database/testConnect file, which can be exploited remotely.
This vulnerability is a problem because it enables remote attackers to inject malicious code, potentially leading to unauthorized access, data breaches, or disruption of services, making it a critical security threat.
This vulnerability allows an attacker to inject code into the InternLM LMDeploy system by manipulating the "Open" function in the lmdeploy/docs/en/conf.py file, potentially leading to unauthorized access and control.
This vulnerability is a problem because it enables attackers to launch a code injection attack on the local host, which can result in significant security breaches, data theft, and system compromise, especially since the exploit has been publicly disclosed and can be easily used by malicious actors.
The CVE-2025-29987 vulnerability allows an authenticated user from a trusted remote client to execute arbitrary commands with root privileges on Dell PowerProtect Data Domain systems running Data Domain Operating System (DD OS) versions prior to 8.3.0.15.
This vulnerability is a problem because it enables an attacker to gain unrestricted access to the system, potentially leading to data breaches, system compromise, and other malicious activities, all with elevated privileges.
This vulnerability allows a remote attacker to overflow a buffer on the stack in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways, potentially leading to remote code execution.
This is a significant problem because it enables an unauthenticated attacker to execute malicious code on the affected system, potentially allowing them to gain control, steal sensitive data, or disrupt operations.
The CVE-2024-4877 vulnerability allows a lesser privileged process on Windows to create a named pipe that the OpenVPN GUI component connects to, potentially enabling the process to escalate its privileges.
This vulnerability is a problem because it could allow an attacker to gain elevated access and control over the system, potentially leading to unauthorized actions, data breaches, or other malicious activities.
This CVE candidate was issued in error and has been rejected, with all related information removed to prevent accidental usage.
It's not a problem as it was an incorrect assignment and does not represent an actual vulnerability.
The CVE-2025-3162 vulnerability allows an attacker to manipulate the load_weight_ckpt function in the InternLM LMDeploy up to version 0.7.1, leading to deserialization, which can occur when an attacker has local access.
This vulnerability is a problem because it can be exploited by an attacker with local access to execute malicious code, potentially allowing them to gain unauthorized access to sensitive data or disrupt system operations.
This vulnerability allows an attacker to overflow a buffer on the stack by manipulating the argument list in the ShutdownSetAdd function of the Tenda AC10 router, potentially leading to remote code execution.
This is a critical issue because it can be exploited remotely, allowing an attacker to gain control of the router and potentially access the network it's connected to, leading to unauthorized data access, malware distribution, or other malicious activities.
The CVE-2025-3160 vulnerability allows an out-of-bounds read in the Open Asset Import Library Assimp, specifically in the SceneCombiner function, when a local attacker manipulates the system.
This vulnerability is a problem because it can be exploited by a local attacker to potentially access sensitive information or disrupt the system, and since the exploit has been publicly disclosed, it may be used by malicious actors.
This vulnerability allows an attacker to embed arbitrary HTML tags in the Web UI of HCL DevOps Deploy / HCL Launch, potentially leading to the disclosure of sensitive information.
This vulnerability is a problem because it can be used by attackers to trick users into revealing sensitive information, such as login credentials or other confidential data, by manipulating the Web UI to display fake or malicious content.
This vulnerability causes a heap-based buffer overflow in the Open Asset Import Library Assimp when parsing ASE files, specifically in the function that handles mesh bones and vertices.
This vulnerability is a problem because it can be exploited by an attacker to potentially execute arbitrary code, leading to a range of malicious activities, including data theft, system compromise, and disruption of service, by manipulating the ASE file handler locally.
This vulnerability causes a heap-based buffer overflow in the Open Asset Import Library Assimp, specifically in the LWO File Handler component, when the Assimp::LWO::AnimResolver::UpdateAnimRangeSetup function is manipulated.
This issue is a problem because it allows an attacker to launch an attack on the local host, potentially leading to arbitrary code execution, data corruption, or crashes, which can compromise the security and stability of the system.
This vulnerability allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the SSID argument in the Wireless Menu component of the Intelbras WRN 150 device, potentially leading to the execution of malicious code.
This vulnerability is a problem because it can be exploited remotely, allowing attackers to inject malicious code into the device, potentially leading to unauthorized access, data theft, or other malicious activities, which can compromise the security and integrity of the device and the network it is connected to.
This vulnerability in the Gnome user help application allows malicious users to create help documents that can execute arbitrary scripts, potentially leading to the exfiltration of user files to an external environment.
This vulnerability is a problem because it enables malicious users to access and steal sensitive user data by disguising their scripts as legitimate help documents, which can then be executed by the application without the user's knowledge or consent.
The CVE-2025-32053 vulnerability is a flaw in the libsoup library that can cause a heap buffer over-read due to issues in the sniff_feed_or_html() and skip_insignificant_space() functions.
This vulnerability is a problem because it can potentially allow attackers to access sensitive information or cause the program to crash, leading to a denial of service. The heap buffer over-read can also potentially be used to exploit other vulnerabilities, making it a significant security concern.
The CVE-2025-32052 vulnerability is a flaw in the libsoup library that can cause a heap buffer over-read when the sniff_unknown() function is used, potentially allowing an attacker to access sensitive data.
This vulnerability is a problem because it can lead to unauthorized access to sensitive information, potentially compromising the security and integrity of the system, and allowing attackers to exploit this weakness for malicious purposes.
The CVE-2025-32051 vulnerability is a flaw in the libsoup library that causes the soup_uri_decode_data_uri() function to crash when processing a malformed data URI, allowing an attacker to initiate a denial of service (DoS) attack.
This vulnerability is a problem because it enables an attacker to intentionally crash the system or application using the libsoup library, resulting in a denial of service that disrupts the normal functioning of the system and potentially leads to data loss or other security issues.
The CVE-2025-32050 vulnerability is a flaw in the libsoup library, specifically in the append_param_quoted() function, which can cause a buffer under-read due to an overflow bug.
This vulnerability is a problem because it can potentially allow attackers to access or manipulate sensitive data, leading to information disclosure or other security breaches, which can compromise the confidentiality and integrity of the affected system.
This vulnerability allows an attacker to send a large WebSocket message to a system using libsoup, causing the system to allocate excessive memory, which can lead to a denial of service (DoS) where the system becomes unresponsive or crashes.
This vulnerability is a problem because it can be exploited by an attacker to intentionally disrupt or shut down a system, making it unavailable for legitimate use and potentially causing significant disruption or financial loss.
The CVE-2025-31911 vulnerability allows an attacker to inject malicious SQL code into a database using the NotFound Social Share And Social Locker plugin, versions 1.4.2 and below, enabling them to extract or modify sensitive data without being detected.
This vulnerability is a problem because it enables attackers to access and manipulate sensitive data, potentially leading to data breaches, unauthorized access, and other malicious activities, posing a significant threat to the security and integrity of the affected system.
The CVE-2025-31909 vulnerability allows unauthorized access to Apptivo Business Site CRM due to missing authorization and incorrectly configured access control security levels, potentially exposing sensitive data.
This vulnerability is a problem because it enables attackers to exploit weaknesses in the access control system, potentially leading to unauthorized data access, modification, or theft, which can compromise business operations and customer trust.
The CVE-2025-31907 vulnerability allows an attacker to inject malicious code into a web page, known as Reflected Cross-site Scripting (XSS), when using the Labib Ahmed Team Builder application. This occurs because the application does not properly neutralize user input during web page generation.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other harmful activities. The severity score of 7.1 indicates a significant level of risk.
The CVE-2025-31905 vulnerability allows an attacker to inject malicious code into a web page, known as Reflected Cross-site Scripting (XSS), when using the NotFound Team Rosters application.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform unauthorized actions on the affected website, potentially leading to sensitive information disclosure or other malicious activities.
This vulnerability allows an attacker to inject malicious code into a web page, using a technique called Reflected Cross-site Scripting (XSS), when a user interacts with the XV Random Quotes plugin, specifically versions up to 1.37.
This vulnerability is a problem because it enables attackers to steal user data, take control of user sessions, or perform other malicious actions on behalf of the user, potentially leading to sensitive information disclosure, identity theft, or further attacks on the affected system.
The CVE-2025-31902 vulnerability allows an attacker to inject malicious code into a web page through a process known as Reflected Cross-site Scripting (XSS), which occurs when user input is not properly neutralized during web page generation in the NotFound Social Share And Social Locker plugin.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities on the affected website.
The CVE-2025-31901 vulnerability allows an attacker to inject malicious code into a webpage through a reflected Cross-site Scripting (XSS) attack, exploiting the Digihood HTML Sitemap's improper neutralization of user input.
This vulnerability is a problem because it enables attackers to trick users into executing malicious scripts, potentially leading to unauthorized access, data theft, or other malicious activities, compromising the security and integrity of the affected system.
The CVE-2025-31900 vulnerability allows an attacker to inject malicious code into a web page generated by Lexicata, enabling Reflected Cross-site Scripting (XSS) attacks. This occurs due to the improper neutralization of user input during web page generation.
This vulnerability is a problem because it can be exploited by attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected Lexicata system, potentially compromising sensitive information and system security.
The CVE-2025-31899 vulnerability allows an attacker to inject malicious code into a website using the wpshopee Awesome Logos plugin, which can lead to Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link that executes malicious code on the website.
This vulnerability is a problem because it can allow attackers to steal user data, take control of user sessions, or perform other malicious actions on the affected website. The severity score of 7.1 indicates that this is a significant threat that should be addressed promptly.
This vulnerability allows an attacker to inject malicious code into a website using the MediaView component, which can lead to Reflected Cross-Site Scripting (XSS) attacks. This means an attacker can trick a user into clicking a link or visiting a website that executes the malicious code, potentially stealing sensitive information or taking control of the user's session.
This vulnerability is a problem because it can be used to steal user data, hijack user sessions, or spread malware, which can lead to financial loss, identity theft, or other serious consequences. The severity score of 7.1 indicates that this is a significant vulnerability that should be addressed promptly.
The CVE-2025-31896 vulnerability allows unauthorized access to the GetBookingsWP plugin due to missing authorization, enabling exploitation of incorrectly configured access control security levels.
This vulnerability is a problem because it can be used by attackers to gain unauthorized access to sensitive information or perform malicious actions, potentially compromising the security and integrity of the affected system.
The CVE-2025-31893 vulnerability allows an attacker to inject malicious code into web pages generated by the Botnet Attack Blocker, specifically through a type of attack known as Stored Cross-site Scripting (XSS). This means that an attacker can store malicious scripts on the targeted web application, which are then executed by the application, potentially leading to unauthorized actions.
This vulnerability is a problem because it enables attackers to execute malicious scripts on the web application, potentially allowing them to steal sensitive information, take control of user sessions, or perform other malicious activities. The fact that it is a Stored XSS vulnerability makes it particularly concerning, as the malicious scripts can be stored on the application and executed repeatedly, affecting multiple users.