Total
286780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29770 | 2025-03-19 | 6.5 Medium | ||
| vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output (a.k.a. guided decoding). Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the OpenAI compatible API server. The affected code in vLLM is vllm/model_executor/guided_decoding/outlines_logits_processors.py, which unconditionally uses the cache from outlines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service if the filesystem runs out of space. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose outlines on a per-request basis using the guided_decoding_backend key of the extra_body field of the request. This issue applies only to the V0 engine and is fixed in 0.8.0. | ||||
| CVE-2025-29925 | 2025-03-19 | N/A | ||
| XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. | ||||
| CVE-2025-29924 | 2025-03-19 | N/A | ||
| XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1. | ||||
| CVE-2025-27705 | 2025-03-19 | N/A | ||
| There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.53. Attackers with system administrator permissions can interfere with another system administrator’s use of the management console when the second administrator logs in. Attack complexity is high, attack requirements are present, privileges required are none, user interaction is required. The impact to confidentiality is low, the impact to availability is none, and the impact to system integrity is none. | ||||
| CVE-2025-26699 | 1 Redhat | 1 Ansible Automation Platform | 2025-03-19 | 5 Medium |
| An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings. | ||||
| CVE-2025-25684 | 2025-03-19 | 7.5 High | ||
| A lack of validation in the path parameter (/download) of GL-INet Beryl AX GL-MT3000 v4.7.0 allows attackers to download arbitrary files from the device's file system via a crafted POST request. | ||||
| CVE-2024-6244 | 2 Projectzealous, Wordpress Plugin | 2 Pz Frontend Manager, Pz Frontend Manager | 2025-03-19 | 8.8 High |
| The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | ||||
| CVE-2024-40786 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-03-19 | 7.5 High |
| This issue was addressed through improved state management. This issue is fixed in iOS 17.6 and iPadOS 17.6, iOS 16.7.9 and iPadOS 16.7.9, macOS Ventura 13.6.8. An attacker may be able to view sensitive user information. | ||||
| CVE-2024-39936 | 2 Qt, Redhat | 7 Qt, Enterprise Linux, Rhel Aus and 4 more | 2025-03-19 | 8.6 High |
| An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. | ||||
| CVE-2024-38466 | 1 Guoxinled | 1 Synthesis Image System | 2025-03-19 | 9.8 Critical |
| Shenzhen Guoxin Synthesis image system before 8.3.0 has a 123456Qw default password. | ||||
| CVE-2024-1231 | 1 Cminds | 1 Cm Download Manager | 2025-03-19 | 6.8 Medium |
| The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack | ||||
| CVE-2023-42962 | 1 Apple | 2 Ipados, Iphone Os | 2025-03-19 | 7.5 High |
| This issue was addressed with improved checks This issue is fixed in iOS 17.2 and iPadOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. A remote attacker may be able to cause a denial-of-service. | ||||
| CVE-2023-33140 | 1 Microsoft | 1 Onenote | 2025-03-19 | 6.5 Medium |
| Microsoft OneNote Spoofing Vulnerability | ||||
| CVE-2023-23459 | 2 Microsoft, Priority-software | 2 Windows, Priority | 2025-03-19 | 9.1 Critical |
| Priority Windows may allow Command Execution via SQL Injection using an unspecified method. | ||||
| CVE-2023-23458 | 1 Sunellsecurity | 14 Sn-adr3804e1, Sn-adr3804e1 Firmware, Sn-adr3808e1 and 11 more | 2025-03-19 | 6.5 Medium |
| Sunell DVR, latest version, CWE-200: Exposure of Sensitive Information to an Unauthorized Actor through an unspecified request. | ||||
| CVE-2023-23004 | 1 Linux | 1 Linux Kernel | 2025-03-19 | 5.5 Medium |
| In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer). | ||||
| CVE-2022-32478 | 1 Insyde | 1 Insydeh2o | 2025-03-19 | 7 High |
| An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. | ||||
| CVE-2021-45422 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-03-19 | 6.1 Medium |
| Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability in the /goform/activate_process "count" parameter via GET. No authentication is required. | ||||
| CVE-2019-13029 | 1 Vanderbilt | 1 Redcap | 2025-03-19 | N/A |
| Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser. | ||||
| CVE-2019-1000018 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2025-03-19 | 7.8 High |
| rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission. | ||||