| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior. |
| A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration. |
| An out-of-bounds read vulnerability has been discovered in Monkey's Audio 11.31, specifically in the CAPECharacterHelper::GetUTF16FromUTF8 function. The issue arises from improper handling of the length of the input UTF-8 string, causing the function to read past the memory boundary. This vulnerability may result in a crash or expose sensitive data. |
| Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1. |
| The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability. |
| A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX.
Dialogflow agent developers with Webhook editor permission are able to configure Webhooks using Dialogflow service agent access token authentication.
This allows the attacker to escalate their privileges from agent-level to project-level, granting them unauthorized access to manage resources in services associated with the project, leading to unexpected costs and resource depletion for the producer project.
A fix was applied on the server side to protect from this vulnerability in February 2025. No customer action is required. |
| Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6. |
| Delinea Privilege Manager before 12.0.2 mishandles the security of the Windows agent. |
| The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS).This issue affects Tap&Sign: through 23012026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |
| The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently . |
| Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php.
This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js.
This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. |
| There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. |
| User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing.
The SaaS AI assistant ignores hidden content that is rendered after signing, misleading the user.
For reference see: CVE-2024-52276
This issue affects DocuSign: through 2024-12-04. |
| Divide By Zero vulnerability in davisking dlib allows
remote attackers to cause a denial of service via a crafted file.
.This issue affects dlib: before <19.24.7. |
| A denial-of-service vulnerability was reported in some Lenovo printers that could allow an unauthenticated attacker on a shared network to prevent printer services from being reachable until the system is rebooted. |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php.
This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. |
| The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojs_video shortcode in all versions up to, and including, 1.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Longse model LBH30FE200W cameras, as well as products based on this device, make use of telnet passwords which follow a specific pattern. Once the pattern is known, brute-forcing the password becomes relatively easy.
Additionally, every camera with the same firmware version shares the same password. |
