UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Permission control vulnerability in the memory management module. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Logpoint before 7.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
Permission control vulnerability in the Settings module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
UAF vulnerability in the screen recording framework module. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Permission control vulnerability in the distributed component. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability of improper criterion security check in the call module. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
DoS vulnerability in the video-related system service module. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.8.33. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue was discovered in Logpoint before 7.7.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Permission control vulnerability in the startup recovery module. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Vulnerability of accessing invalid memory in the component driver module. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.3.8.0; Remote Desktop Manager: through 2025.3.23.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
UAF vulnerability in the screen recording framework module. Rated medium severity (CVSS 6.4). No vendor patch available.
File upload vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Identity authentication bypass vulnerability in the Gallery app. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Permission control vulnerability in the print module. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. Rated medium severity (CVSS 5.9), this vulnerability is low attack complexity. No vendor patch available.
UAF vulnerability in the USB driver module. Rated medium severity (CVSS 5.8). No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Permission control vulnerability in the Wi-Fi module. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper Privilege Management vulnerability in Apache Kvrocks.9.0 through v2.13.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.0.0 through 2.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service (DoS) vulnerability in the office service. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Permission control vulnerability in the Notepad module. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.
Permission control vulnerability in the App Lock module. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required. No vendor patch available.
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Kivitendo before 3.9.2 allows XXE injection. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Permission control vulnerability in the file management module. Rated medium severity (CVSS 4.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Permission control vulnerability in the file management module. Rated medium severity (CVSS 4.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Configuration defect vulnerability in the file management module. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. No vendor patch available.
Mustang before 2.16.3 allows exfiltrating files via XXE attacks. Rated low severity (CVSS 2.8). No vendor patch available.