CVE List - 2025 / April
Showing 3301 - 3400 of 4033 CVEs for April 2025 (Page 34 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-46252 | 2025-04-22 | WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.2 - SQL Injection vulnerability |
| CVE-2025-46253 | 2025-04-22 | WordPress GutenKit plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-46254 | 2025-04-22 | WordPress Visual Composer Website Builder plugin <= 45.10.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-3457 | 2025-04-22 | Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-3472 | 2025-04-22 | Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2025-3458 | 2025-04-22 | Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id' |
| CVE-2024-11299 | 2025-04-22 | Memberpress <= 1.11.37 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure |
| CVE-2025-2092 | 2025-04-22 | Remote site authentication secrets written to web log |
| CVE-2025-23175 | 2025-04-22 | Tecnick - Multiple XSS (CWE-79) |
| CVE-2025-23176 | 2025-04-22 | Tecnick – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CVE-2025-1950 | 2025-04-22 | IBM Hardware Management Console - Power Systems command execution |
| CVE-2025-1951 | 2025-04-22 | IBM Hardware Management Console - Power Systems command execution |
| CVE-2025-3767 | 2025-04-22 | SQL Injection in Centreon BAM boolean KPI listing |
| CVE-2025-23249 | 2025-04-22 | NVIDIA NeMo Framework contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code... |
| CVE-2025-23250 | 2025-04-22 | NVIDIA NeMo Framework contains a vulnerability where an attacker could cause an improper limitation of a pathname to a restricted directory by an arbitrary file write. A successful exploit of... |
| CVE-2025-23251 | 2025-04-22 | NVIDIA NeMo Framework contains a vulnerability where a user could cause an improper control of generation of code by remote code execution. A successful exploit of this vulnerability might lead... |
| CVE-2025-27907 | 2025-04-22 | IBM WebSphere Application Server server-side request forgery |
| CVE-2025-34028 | 2025-04-22 | Commvault Command Center Innovation Release <= 11.38.25 Unathenticated Install Package Path Traversal |
| CVE-2025-32788 | 2025-04-22 | OctoPrint Authenticated Reverse Proxy Page Authentication Bypass |
| CVE-2025-32950 | 2025-04-22 | io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage |
| CVE-2025-32963 | 2025-04-22 | Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS |
| CVE-2025-32964 | 2025-04-22 | ManageWiki vulnerable to permission bypass when disabling extensions requiring certain permissions in Special:ManageWiki/extensions |
| CVE-2025-32952 | 2025-04-22 | io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage |
| CVE-2025-32951 | 2025-04-22 | io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API |
| CVE-2025-32959 | 2025-04-22 | CUBA Vulnerable to Denial of Service (DoS) in the File Storage |
| CVE-2025-32960 | 2025-04-22 | CUBA Generic REST API Vulnerable to Cross-Site Scripting (XSS) in the /files Endpoint |
| CVE-2025-32961 | 2025-04-22 | CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint |
| CVE-2025-31327 | 2025-04-22 | OData meta-data property entity tampering in SAP Field Logistics |
| CVE-2025-31328 | 2025-04-22 | Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution) |
| CVE-2025-23253 | 2025-04-22 | NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded... |
| CVE-2025-32965 | 2025-04-22 | Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 |
| CVE-2025-37087 | 2025-04-22 | A vulnerability in the cmdb service of the HPE Performance Cluster Manager (HPCM) could allow an attacker to gain access to an arbitrary file on the server host. |
| CVE-2025-27087 | 2025-04-22 | A vulnerability in the kernel of the Cray Operating System (COS) could allow an attacker to perform a local Denial of Service (DoS) attack. |
| CVE-2025-37088 | 2025-04-22 | A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Depending on race conditions and configuration, this vulnerability may lead to local/cluster unauthorized access. |
| CVE-2024-58251 | 2025-04-23 | In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked... |
| CVE-2025-27580 | 2025-04-23 | NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a... |
| CVE-2025-27581 | 2025-04-23 | NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 allows users who lack the InET role to access the InET module via direct requests to known endpoints. |
| CVE-2025-28017 | 2025-04-23 | TOTOLINK A800R V4.1.2cu.5032_B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERY_STRING parameter. |
| CVE-2025-28018 | 2025-04-23 | TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter. |
| CVE-2025-28019 | 2025-04-23 | TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the downloadFile.cgi component |
| CVE-2025-28020 | 2025-04-23 | TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v25 parameter. |
| CVE-2025-28021 | 2025-04-23 | TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in the downloadFile.cgi through the v14 and v3 parameters |
| CVE-2025-28022 | 2025-04-23 | TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in downloadFile.cgi through the v25 parameter. |
| CVE-2025-28025 | 2025-04-23 | TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi through the v14 parameter. |
| CVE-2025-28028 | 2025-04-23 | TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in downloadFile.cgi through the v5 parameter. |
| CVE-2025-28169 | 2025-04-23 | BYD QIN PLUS DM-i Dilink OS v3.0_13.1.7.2204050.1 to v3.0_13.1.7.2312290.1_0 was discovered to cend broadcasts to the manufacturer's cloud server unencrypted, allowing attackers to execute a man-in-the-middle attack. |
| CVE-2025-29526 | 2025-04-23 | A Cross-Site Scripting (XSS) vulnerability in the search function of Q4 Inc Investor Relations Platform v5.147.1.2 allows attackers to execute arbitrary Javascript via injecting a crafted payload into the SearchTerm... |
| CVE-2025-43716 | 2025-04-23 | A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php to the URI of the /client/index.php endpoint, an attacker can bypass access controls and gain... |
| CVE-2025-43965 | 2025-04-23 | In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used. |
| CVE-2025-45427 | 2025-04-23 | In Tenda AC9 v1.0 with firmware V15.03.05.14_multi, the security parameter of /goform/WifiBasicSet has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
| CVE-2025-45428 | 2025-04-23 | In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution. |
| CVE-2025-45429 | 2025-04-23 | In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWpsStart, which may lead to remote arbitrary code execution. |
| CVE-2025-46393 | 2025-04-23 | In multispectral MIFF image processing in ImageMagick before 7.1.1-44, packet_size is mishandled (related to the rendering of all channels in an arbitrary order). |
| CVE-2025-46394 | 2025-04-23 | In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. |
| CVE-2025-1021 | 2025-04-23 | Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors. |
| CVE-2025-1056 | 2025-04-23 | Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file... |
| CVE-2025-0926 | 2025-04-23 | Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting... |
| CVE-2025-0618 | 2025-04-23 | A malicious third party could invoke a persistent denial of service vulnerability in FireEye EDR agent by sending a specially-crafted tamper protection event to the HX service to trigger an... |
| CVE-2025-3529 | 2025-04-23 | WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter |
| CVE-2025-3530 | 2025-04-23 | WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation |
| CVE-2025-2595 | 2025-04-23 | Forced Browsing Vulnerability in CODESYS Visualization |
| CVE-2025-1054 | 2025-04-23 | UiCore Elements – Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2024-10306 | 2025-04-23 | Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests |
| CVE-2025-42600 | 2025-04-23 | Brute Force Attack Vulnerability in Meon KYC solutions |
| CVE-2025-42601 | 2025-04-23 | Captcha Bypass Vulnerability in Meon KYC solutions |
| CVE-2025-42602 | 2025-04-23 | Improper Authentication Vulnerability in Meon KYC solutions |
| CVE-2025-42603 | 2025-04-23 | Information Disclosure Vulnerability in Meon KYC solutions |
| CVE-2025-42604 | 2025-04-23 | Detailed Error Response Vulnerability in Meon KYC solutions |
| CVE-2025-42605 | 2025-04-23 | Improper Access Control Vulnerability in Meon Bidding Solutions |
| CVE-2025-2703 | 2025-04-23 | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute... |
| CVE-2025-32966 | 2025-04-23 | Dataease H2 JDBC Connection Remote Code Execution |
| CVE-2025-32968 | 2025-04-23 | org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API |
| CVE-2025-32969 | 2025-04-23 | org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API |
| CVE-2025-21605 | 2025-04-23 | Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client |
| CVE-2024-47829 | 2025-04-23 | pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting |
| CVE-2025-1045 | 2025-04-23 | Luxion KeyShot Viewer KSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2025-1046 | 2025-04-23 | Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability |
| CVE-2025-1047 | 2025-04-23 | Luxion KeyShot PVS File Parsing Access of Uninitialized Pointer Remote Code Execution Vulnerability |
| CVE-2025-1048 | 2025-04-23 | Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability |
| CVE-2025-1049 | 2025-04-23 | Sonos Era 300 Heap-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2025-1050 | 2025-04-23 | Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2025-1520 | 2025-04-23 | PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability |
| CVE-2025-1521 | 2025-04-23 | PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability |
| CVE-2025-1522 | 2025-04-23 | PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability |
| CVE-2025-2760 | 2025-04-23 | GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability |
| CVE-2025-2761 | 2025-04-23 | GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2025-2762 | 2025-04-23 | CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability |
| CVE-2025-2763 | 2025-04-23 | CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability |
| CVE-2025-2764 | 2025-04-23 | CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability |
| CVE-2025-2765 | 2025-04-23 | CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability |
| CVE-2025-2767 | 2025-04-23 | Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability |
| CVE-2025-2768 | 2025-04-23 | Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
| CVE-2025-2769 | 2025-04-23 | Bdrive NetDrive Uncontrolled Search Path Element Local Privilege Escalation Vulnerability |
| CVE-2025-2770 | 2025-04-23 | BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability |
| CVE-2025-2771 | 2025-04-23 | BEC Technologies Multiple Routers Authentication Bypass Vulnerability |
| CVE-2025-2772 | 2025-04-23 | BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability |
| CVE-2025-2773 | 2025-04-23 | BEC Technologies Multiple Routers sys ping Command Injection Remote Code Execution Vulnerability |
| CVE-2025-3900 | 2025-04-23 | Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041 |
| CVE-2025-3901 | 2025-04-23 | Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042 |
| CVE-2025-3902 | 2025-04-23 | Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043 |