CVE List - 2025 / May
Showing 2001 - 2100 of 3982 CVEs for May 2025 (Page 21 of 40)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-47778 | 2025-05-14 | Sulu vulnerable to XXE in SVG File upload Inspector |
| CVE-2025-47781 | 2025-05-14 | Rallly Insufficient Password Login Token Entropy Leads to Account Takeover |
| CVE-2025-47782 | 2025-05-14 | motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution |
| CVE-2025-40595 | 2025-05-14 | A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance... |
| CVE-2025-3875 | 2025-05-14 | Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains... |
| CVE-2025-3909 | 2025-05-14 | Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf,... |
| CVE-2025-3932 | 2025-05-14 | It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration... |
| CVE-2025-47701 | 2025-05-14 | Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047 |
| CVE-2025-47702 | 2025-05-14 | oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048 |
| CVE-2025-47703 | 2025-05-14 | COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049 |
| CVE-2025-47704 | 2025-05-14 | Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050 |
| CVE-2025-47705 | 2025-05-14 | IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051 |
| CVE-2025-47706 | 2025-05-14 | Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052 |
| CVE-2025-47707 | 2025-05-14 | Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053 |
| CVE-2025-47708 | 2025-05-14 | Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054 |
| CVE-2025-47709 | 2025-05-14 | Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055 |
| CVE-2025-47710 | 2025-05-14 | Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056 |
| CVE-2025-30663 | 2025-05-14 | Zoom Workplace Apps - Time-of-check Time-of-use |
| CVE-2025-30664 | 2025-05-14 | Zoom Workplace Apps - Cross-site Scripting |
| CVE-2025-30665 | 2025-05-14 | Zoom Workplace Apps for Windows - NULL Pointer Dereference |
| CVE-2025-30666 | 2025-05-14 | Zoom Workplace Apps for Windows - NULL Pointer Dereference |
| CVE-2025-30667 | 2025-05-14 | Zoom Workplace Apps - NULL Pointer Dereference |
| CVE-2025-0130 | 2025-05-14 | PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Feature via a Burst of Maliciously Crafted Packets |
| CVE-2025-30668 | 2025-05-14 | Zoom Workplace Apps - NULL Pointer Dereference |
| CVE-2025-46785 | 2025-05-14 | Zoom Workplace Apps for Windows - Buffer Over-read |
| CVE-2025-4664 | 2025-05-14 | Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
| CVE-2025-46786 | 2025-05-14 | Zoom Workplace Apps - Cross-site Scripting |
| CVE-2025-4637 | 2025-05-14 | Divide By Zero in dlib |
| CVE-2025-4638 | 2025-05-14 | Improper Pointer Arithmetic in pcl |
| CVE-2025-4639 | 2025-05-14 | Improper Restriction of XML External Entity Reference in Peergos |
| CVE-2025-0131 | 2025-05-14 | GlobalProtect App: Incorrect Privilege Management Vulnerability in OPSWAT MetaDefender Endpoint Security SDK |
| CVE-2025-4640 | 2025-05-14 | Out-of-bounds Write in pcl |
| CVE-2025-0132 | 2025-05-14 | Cortex XDR Broker VM: Unauthenticated User Can Disable Internal Services |
| CVE-2025-0133 | 2025-05-14 | PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal |
| CVE-2025-0134 | 2025-05-14 | Cortex XDR Broker VM: Authenticated Code Injection Vulnerability in Broker VM |
| CVE-2025-0135 | 2025-05-14 | GlobalProtect App on macOS: Non Admin User Can Disable the GlobalProtect App |
| CVE-2025-4641 | 2025-05-14 | XML External Entity (XXE) injection vulnerability in WebDriverManager |
| CVE-2025-0137 | 2025-05-14 | PAN-OS: Improper Neutralization of Input in the Management Web Interface |
| CVE-2025-0138 | 2025-05-14 | Prisma Cloud Compute Edition: Insufficient Session Expiration Vulnerability in the Web Interface |
| CVE-2025-0136 | 2025-05-14 | PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices |
| CVE-2025-2900 | 2025-05-14 | IBM Semeru Runtime denial of service |
| CVE-2025-33104 | 2025-05-14 | IBM WebSphere Application Server cross |
| CVE-2025-47884 | 2025-05-14 | In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers... |
| CVE-2025-47885 | 2025-05-14 | Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers... |
| CVE-2025-47886 | 2025-05-14 | A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. |
| CVE-2025-47887 | 2025-05-14 | Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. |
| CVE-2025-47888 | 2025-05-14 | Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. |
| CVE-2025-47889 | 2025-05-14 | In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this... |
| CVE-2024-45067 | 2025-05-14 | Incorrect default permissions in some Intel(R) Gaudi(R) software installers before version 1.18 may allow an authenticated user to potentially enable escalation of privilege via local access. |
| CVE-2025-32421 | 2025-05-14 | Next.js Race Condition to Cache Poisoning |
| CVE-2025-46836 | 2025-05-14 | net-tools Stack-based Buffer Overflow vulnerability |
| CVE-2025-47783 | 2025-05-14 | label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter. |
| CVE-2024-52877 | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before... |
| CVE-2024-52878 | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before... |
| CVE-2024-52879 | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before... |
| CVE-2024-52880 | 2025-05-15 | An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before... |
| CVE-2025-44110 | 2025-05-15 | FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php. |
| CVE-2025-44180 | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /edit-brand.php?bid={brandId}. |
| CVE-2025-44181 | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/add-brand.php via the brandname parameter. |
| CVE-2025-44182 | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via the vehiclename, modelnumber, regnumber, vehiclesubtype, chasisnum, enginenumber' in the /admin/edit-vehicle.php component. This allows attackers to execute... |
| CVE-2025-44183 | 2025-05-15 | Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the name, email, and mobile parameters. |
| CVE-2025-44185 | 2025-05-15 | SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/change_pass.php via the password parameter. |
| CVE-2025-46052 | 2025-05-15 | An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field... |
| CVE-2025-46053 | 2025-05-15 | A SQL Injection vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within... |
| CVE-2025-48024 | 2025-05-15 | In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint. |
| CVE-2025-48027 | 2025-05-15 | The HttpAuth plugin in pGina.Fork through 3.9.9.12 allows authentication bypass when an adversary controls DNS resolution for pginaloginserver. |
| CVE-2025-48050 | 2025-05-15 | In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because... |
| CVE-2025-48051 | 2025-05-15 | powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as... |
| CVE-2025-4579 | 2025-05-15 | WP Content Security Plugin <= 2.3 - Unauthenticated Stored Cross-Site Scripting via CSP-Report Fields |
| CVE-2025-4589 | 2025-05-15 | Bon Toolkit <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-3917 | 2025-05-15 | 百度站长SEO合集(支持百度/神马/Bing/头条推送) <= 2.0.6 - Unauthenticated Arbitrary File Upload |
| CVE-2025-4126 | 2025-05-15 | EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-4591 | 2025-05-15 | Weluka Lite <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-3053 | 2025-05-15 | UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.07 - Authenticated (Subscriber+) Remote Code Execution |
| CVE-2024-13914 | 2025-05-15 | File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode |
| CVE-2025-3742 | 2025-05-15 | Responsive Lightbox & Gallery < 2.5.1 - Contributor+ Stored XSS |
| CVE-2025-27523 | 2025-05-15 | XXE vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager |
| CVE-2025-27524 | 2025-05-15 | Weak encryption vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager |
| CVE-2025-27525 | 2025-05-15 | Information Exposure vulnerability in JP1/IT Desktop Management 2 - Smart Device Manager |
| CVE-2025-4737 | 2025-05-15 | Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage. |
| CVE-2025-32002 | 2025-05-15 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote... |
| CVE-2025-32738 | 2025-05-15 | Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product... |
| CVE-2025-31947 | 2025-05-15 | Repeated LDAP login failures can lock an LDAP account |
| CVE-2025-3446 | 2025-05-15 | Members Without Guest Invite Permissions Can Add Guests to Teams |
| CVE-2025-4564 | 2025-05-15 | TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion |
| CVE-2025-4762 | 2025-05-15 | Insecure Direct Object Reference (IDOR) vulnerability in eSignaViewer |
| CVE-2025-4695 | 2025-05-15 | PHPGurukul/Campcodes Cyber Cafe Management System add-users.php sql injection |
| CVE-2025-4696 | 2025-05-15 | PHPGurukul/Campcodes Cyber Cafe Management System search.php sql injection |
| CVE-2025-4697 | 2025-05-15 | PHPGurukul Directory Management System edit-directory.php sql injection |
| CVE-2025-4516 | 2025-05-15 | Use-after-free in "unicode_escape" decoder with error handler |
| CVE-2025-4698 | 2025-05-15 | PHPGurukul Directory Management System forget-password.php sql injection |
| CVE-2025-4699 | 2025-05-15 | PHPGurukul Apartment Visitors Management System visitors-form.php sql injection |
| CVE-2025-4701 | 2025-05-15 | VITA-MLLM Freeze-Omni utils.py torch.load deserialization |
| CVE-2025-4702 | 2025-05-15 | PHPGurukul Vehicle Parking Management System add-category.php sql injection |
| CVE-2025-2527 | 2025-05-15 | Improper access control to group information |
| CVE-2025-2570 | 2025-05-15 | System Admin Cannot Access Environment settings in System Console While System Manager Can |
| CVE-2025-4703 | 2025-05-15 | PHPGurukul Vehicle Parking Management System admin-profile.php sql injection |
| CVE-2025-4704 | 2025-05-15 | PHPGurukul Vehicle Parking Management System edit-category.php sql injection |
| CVE-2025-3440 | 2025-05-15 | IBM Security Guardium cross-site scripting |
| CVE-2025-4705 | 2025-05-15 | PHPGurukul Vehicle Parking Management System view-incomingvehicle-detail.php sql injection |