Total
286780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29993 | 2025-03-27 | N/A | ||
| The affected versions of PowerCMS allow HTTP header injection. This vulnerability can be leveraged to direct the affected product to send email with a tampered URL, such as password reset mail. | ||||
| CVE-2024-50629 | 2025-03-27 | 5.3 Medium | ||
| Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files via unspecified vectors. | ||||
| CVE-2024-10445 | 2025-03-27 | 4.3 Medium | ||
| Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write limited files via unspecified vectors. | ||||
| CVE-2024-10441 | 2025-03-27 | 9.8 Critical | ||
| Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
| CVE-2024-45361 | 2025-03-27 | 6.5 Medium | ||
| A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information. | ||||
| CVE-2024-45356 | 2025-03-27 | 7.3 High | ||
| A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods. | ||||
| CVE-2024-45355 | 2025-03-27 | 5.5 Medium | ||
| A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods. | ||||
| CVE-2024-45354 | 2025-03-27 | 4.3 Medium | ||
| A code execution vulnerability exists in the Xiaomi shop applicationproduct. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code. | ||||
| CVE-2024-45353 | 2025-03-27 | 4.3 Medium | ||
| An intent redriction vulnerability exists in the Xiaomi quick App framework application product. The vulnerability is caused by improper input validation and can be exploited by attackers tointent redriction. | ||||
| CVE-2024-45346 | 1 Xiaomi | 1 Getapps Application | 2025-03-27 | 8.8 High |
| The Xiaomi Security Center expresses heartfelt thanks to Ken Gannon and Ilyes Beghdadi of NCC Group working with Trend Micro Zero Day Initiative! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life. | ||||
| CVE-2024-45348 | 1 Mi | 2 Ax9000, Ax9000 Firmware | 2025-03-27 | 6.4 Medium |
| Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code. | ||||
| CVE-2025-2720 | 2025-03-27 | 3.3 Low | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: According to the code maintainer the call of the POC is invalid because the buffer pointed to by "data" must have "len" valid bytes. The docs were updated to make that clear. | ||||
| CVE-2025-2685 | 2025-03-27 | 6.4 Medium | ||
| The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-2332 | 2025-03-27 | 9.8 Critical | ||
| The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-0273 | 2025-03-27 | 5.5 Medium | ||
| HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user. | ||||
| CVE-2023-23750 | 1 Joomla | 1 Joomla\! | 2025-03-27 | 6.3 Medium |
| An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages. | ||||
| CVE-2023-23751 | 1 Joomla | 1 Joomla\! | 2025-03-27 | 4.3 Medium |
| An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs. | ||||
| CVE-2024-27185 | 1 Joomial Project | 1 Joomial Cms | 2025-03-27 | 9.1 Critical |
| The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. | ||||
| CVE-2025-26601 | 3 Redhat, Tigervnc, X.org | 9 Enterprise Linux, Rhel Aus, Rhel E4s and 6 more | 2025-03-27 | 7.8 High |
| A use-after-free flaw was found in X.Org and Xwayland. When changing an alarm, the values of the change mask are evaluated one after the other, changing the trigger values as requested, and eventually, SyncInitTrigger() is called. If one of the changes triggers an error, the function will return early, not adding the new sync object, possibly causing a use-after-free when the alarm eventually triggers. | ||||
| CVE-2025-26600 | 3 Redhat, Tigervnc, X.org | 9 Enterprise Linux, Rhel Aus, Rhel E4s and 6 more | 2025-03-27 | 7.8 High |
| A use-after-free flaw was found in X.Org and Xwayland. When a device is removed while still frozen, the events queued for that device remain while the device is freed. Replaying the events will cause a use-after-free. | ||||