CVE List - 2025 / May
Showing 601 - 700 of 3982 CVEs for May 2025 (Page 7 of 40)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-29573 | 2025-05-05 | Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module. |
| CVE-2025-43915 | 2025-05-05 | In Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1, resource exhaustion can occur for Linkerd proxy metrics. |
| CVE-2025-44071 | 2025-05-05 | SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request. |
| CVE-2025-44072 | 2025-05-05 | SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_manager.php. |
| CVE-2025-44074 | 2025-05-05 | SeaCMS v13.3 was discovered to contain a SQL injection vulnerability via the component admin_topic.php. |
| CVE-2025-45042 | 2025-05-05 | Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. |
| CVE-2025-45236 | 2025-05-05 | A stored cross-site scripting (XSS) vulnerability in the Edit Profile feature of DBSyncer v2.0.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the... |
| CVE-2025-45237 | 2025-05-05 | Incorrect access control in the component /config/download of DBSyncer v2.0.6 allows attackers to access the JSON file containing sensitive account information, including the encrypted password. |
| CVE-2025-45238 | 2025-05-05 | foxcms v1.2.5 was discovered to contain an arbitrary file deletion vulnerability via the delRestoreSerie method. |
| CVE-2025-45239 | 2025-05-05 | An issue in the restores method (DataBackup.php) of foxcms v2.0.6 allows attackers to execute a directory traversal. |
| CVE-2025-45240 | 2025-05-05 | foxcms v1.2.5 was discovered to contain a SQL injection vulnerability via the executeCommand method in DataBackup.php. |
| CVE-2025-45242 | 2025-05-05 | Rhymix v2.1.22 was discovered to contain an arbitrary file deletion vulnerability via the procFileAdminEditImage method in /file/file.admin.controller.php. |
| CVE-2025-45320 | 2025-05-05 | A Directory Listing Vulnerability was found in the /osms/Requester/ directory of the Kashipara Online Service Management Portal V1.0. |
| CVE-2025-45321 | 2025-05-05 | kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in /osms/Requester/Requesterchangepass.php via the parameter: rPassword. |
| CVE-2025-45322 | 2025-05-05 | kashipara Online Service Management Portal V1.0 is vulnerable to SQL Injection in osms/Requester/CheckStatus.php via the checkid parameter. |
| CVE-2025-45607 | 2025-05-05 | An issue in the component /manage/ of itranswarp v2.19 allows attackers to bypass authentication via a crafted request. |
| CVE-2025-45608 | 2025-05-05 | Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45609 | 2025-05-05 | Incorrect access control in the doFilter function of kob latest v1.0.0-SNAPSHOT allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45610 | 2025-05-05 | Incorrect access control in the component /scheduleLog/info/1 of PassJava-Platform v3.0.0 allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45611 | 2025-05-05 | Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request. |
| CVE-2025-45612 | 2025-05-05 | Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index. |
| CVE-2025-45613 | 2025-05-05 | Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45614 | 2025-05-05 | Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45615 | 2025-05-05 | Incorrect access control in the /admin/ API of yaoqishan v0.0.1-SNAPSHOT allows attackers to gain access to Admin rights via a crafted request. |
| CVE-2025-45616 | 2025-05-05 | Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request. |
| CVE-2025-45617 | 2025-05-05 | Incorrect access control in the component /user/list of production_ssm v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45618 | 2025-05-05 | Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload. |
| CVE-2025-45751 | 2025-05-05 | SourceCodester Web Based Pharmacy Product Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in add-admin.php via the Fullname text field. |
| CVE-2025-47268 | 2025-05-05 | ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow... |
| CVE-2025-4255 | 2025-05-05 | PCMan FTP Server RMD Command buffer overflow |
| CVE-2025-4256 | 2025-05-05 | SeaCMS admin_paylog.php cross site scripting |
| CVE-2025-4257 | 2025-05-05 | SeaCMS admin_pay.php cross site scripting |
| CVE-2025-4258 | 2025-05-05 | zhangyanbo2007 youkefu MediaController.java upload unrestricted upload |
| CVE-2025-4259 | 2025-05-05 | newbee-mall UploadController.java upload unrestricted upload |
| CVE-2025-4260 | 2025-05-05 | zhangyanbo2007 youkefu TemplateController.java impsave deserialization |
| CVE-2025-20666 | 2025-05-05 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base... |
| CVE-2025-20667 | 2025-05-05 | In Modem, there is a possible information disclosure due to incorrect error handling. This could lead to remote information disclosure, if a UE has connected to a rogue base station... |
| CVE-2025-20671 | 2025-05-05 | In thermal, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained... |
| CVE-2025-20668 | 2025-05-05 | In scp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already... |
| CVE-2025-20670 | 2025-05-05 | In Modem, there is a possible permission bypass due to improper certificate validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station... |
| CVE-2025-20665 | 2025-05-05 | In devinfo, there is a possible information disclosure due to a missing SELinux policy. This could lead to local information disclosure of device identifier with no additional execution privileges needed.... |
| CVE-2025-4261 | 2025-05-05 | GAIR-NLP factool tool.py run_single code injection |
| CVE-2025-4262 | 2025-05-05 | PHPGurukul Online DJ Booking Management System user-search.php sql injection |
| CVE-2025-4263 | 2025-05-05 | PHPGurukul Online DJ Booking Management System booking-search.php sql injection |
| CVE-2025-4264 | 2025-05-05 | PHPGurukul Emergency Ambulance Hiring Portal edit-ambulance.php sql injection |
| CVE-2025-4265 | 2025-05-05 | PHPGurukul Emergency Ambulance Hiring Portal contact-us.php sql injection |
| CVE-2025-4266 | 2025-05-05 | PHPGurukul Notice Board System bwdates-reports-details.php sql injection |
| CVE-2025-3583 | 2025-05-05 | Newsletter < 8.7.1 - Admin+ Stored XSS |
| CVE-2025-4267 | 2025-05-05 | SourceCodester/oretnom23 Stock Management System Purchase Order Details Page view_po sql injection |
| CVE-2025-39363 | 2025-05-05 | WordPress Custom Login and Registration <= 1.0.0 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-4268 | 2025-05-05 | TOTOLINK A720R cstecgi.cgi missing authentication |
| CVE-2025-4269 | 2025-05-05 | TOTOLINK A720R Log cstecgi.cgi access control |
| CVE-2025-4270 | 2025-05-05 | TOTOLINK A720R Config cstecgi.cgi information disclosure |
| CVE-2025-4271 | 2025-05-05 | TOTOLINK A720R cstecgi.cgi information disclosure |
| CVE-2025-2905 | 2025-05-05 | An XML External Entity (XXE) vulnerability in Multiple WSO2 Products |
| CVE-2025-4272 | 2025-05-05 | Mechrevo Control Console GCUService csCAPI.dll uncontrolled search path |
| CVE-2025-2545 | 2025-05-05 | Deprecated 3DES cryptographic algorithm used by Request Tracker in emails encrypted with S/MIME |
| CVE-2025-4316 | 2025-05-05 | Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface... |
| CVE-2024-58098 | 2025-05-05 | bpf: track changes_pkt_data property for global functions |
| CVE-2024-58100 | 2025-05-05 | bpf: check changes_pkt_data property for extension programs |
| CVE-2024-58237 | 2025-05-05 | bpf: consider that tail calls invalidate packet pointers |
| CVE-2025-4281 | 2025-05-05 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System LoadData information disclosure |
| CVE-2024-11615 | 2025-05-05 | Envolve Plugin <= 1.0 - Unauthenticated Language File Deletion |
| CVE-2025-1992 | 2025-05-05 | IBM Db2 denial of service |
| CVE-2025-0217 | 2025-05-05 | Privileged Remote Access Authentication Bypass |
| CVE-2024-51991 | 2025-05-05 | October CMS Allows Unprotected SVG Rename in Media Manager |
| CVE-2025-24977 | 2025-05-05 | OpenCTI has remote code execution and sensitive secrets exposed through web hook |
| CVE-2025-43842 | 2025-05-05 | GHSL-2025-012_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43843 | 2025-05-05 | GHSL-2025-013_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43844 | 2025-05-05 | GHSL-2025-014_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43845 | 2025-05-05 | GHSL-2025-015_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43846 | 2025-05-05 | GHSL-2025-016_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43847 | 2025-05-05 | GHSL-2025-017_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43848 | 2025-05-05 | GHSL-2025-018_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-4282 | 2025-05-05 | SourceCodester/oretnom23 Stock Management System Users.php cross-site request forgery |
| CVE-2025-4096 | 2025-05-05 | Heap buffer overflow in HTML in Google Chrome prior to 136.0.7103.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2025-4050 | 2025-05-05 | Out of bounds memory access in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit... |
| CVE-2025-4051 | 2025-05-05 | Insufficient data validation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control... |
| CVE-2025-4052 | 2025-05-05 | Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via... |
| CVE-2025-4318 | 2025-05-05 | Input validation issue in AWS Amplify Studio UI component properties |
| CVE-2025-43849 | 2025-05-05 | GHSL-2025-019_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43850 | 2025-05-05 | GHSL-2025-020_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43851 | 2025-05-05 | GHSL-2025-021_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-43852 | 2025-05-05 | GHSL-2025-022_Retrieval-based-Voice-Conversion-WebUI |
| CVE-2025-4279 | 2025-05-05 | External image replace <= 1.0.8 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-46335 | 2025-05-05 | Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload |
| CVE-2025-46553 | 2025-05-05 | @misskey-dev/summaly Redirect Filter Bypass |
| CVE-2025-4283 | 2025-05-05 | SourceCodester/oretnom23 Stock Management System Login.php sql injection |
| CVE-2025-46340 | 2025-05-05 | Misskey CSS Style Injection Vulnerability In `MkUrlPreview` |
| CVE-2025-46559 | 2025-05-05 | Misskey Directory Traversal Vulnerability in AiScript via `Mk:api` |
| CVE-2024-42212 | 2025-05-05 | HCL BigFix Compliance is affected by an improper or missing SameSite attribute |
| CVE-2025-46571 | 2025-05-05 | Open WebUI vulnerable to limited stored XSS vila uploaded html file |
| CVE-2025-46719 | 2025-05-05 | Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions |
| CVE-2025-46720 | 2025-05-05 | Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields |
| CVE-2024-42213 | 2025-05-05 | HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment |
| CVE-2025-46726 | 2025-05-05 | Langroid Vulnerable to XXE Injection via XMLToolMessage |
| CVE-2025-4286 | 2025-05-05 | Intelbras InControl Dispositivos Edição Page credentials storage |
| CVE-2025-46730 | 2025-05-05 | Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack |
| CVE-2025-46731 | 2025-05-05 | Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI |
| CVE-2025-1909 | 2025-05-05 | BuddyBoss Platform Pro <= 2.7.01 - Authentication Bypass via Apple OAuth provider |