Total
5516 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-33184 | 1 Nvidia | 1 Isaac-gr00t | 2025-11-19 | 7.8 High |
| NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-33183 | 1 Nvidia | 1 Isaac-gr00t | 2025-11-19 | 7.8 High |
| NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-34086 | 2 Bolt, Boltcms | 2 Bolt Cms, Bolt | 2025-11-19 | 8.8 High |
| Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021. | ||||
| CVE-2025-13202 | 2 Code-projects, Fabian | 2 Simple Cafe Ordering System, Simple Cafe Ordering System | 2025-11-19 | 3.5 Low |
| A security flaw has been discovered in code-projects Simple Cafe Ordering System 1.0. This affects an unknown part of the file /add_to_cart. Performing manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | ||||
| CVE-2025-13244 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 4.3 Medium |
| A vulnerability was determined in code-projects Student Information System 2.0. The affected element is an unknown function of the file /register.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-13245 | 2 Code-projects, Fabian | 2 Student Information System, Student Information System | 2025-11-19 | 3.5 Low |
| A vulnerability was identified in code-projects Student Information System 2.0. The impacted element is an unknown function of the file /editprofile.php. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-34123 | 1 Videocharge | 1 Videocharge Studio | 2025-11-19 | N/A |
| A stack-based buffer overflow vulnerability exists in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC configuration file. The issue occurs due to improper handling of user-supplied data in the XML 'Name' attribute, leading to an SEH overwrite condition. An attacker can exploit this vulnerability by convincing a user to open a malicious .VSC file, resulting in arbitrary code execution under the context of the user. | ||||
| CVE-2025-34159 | 1 Coollabs | 1 Coolify | 2025-11-19 | 8.8 High |
| Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server. | ||||
| CVE-2025-7711 | 2 Techlabpro1, Wordpress | 2 Classified Listing Plugin, Wordpress | 2025-11-18 | 5.4 Medium |
| The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | ||||
| CVE-2025-13232 | 1 Projectsend | 1 Projectsend | 2025-11-18 | 3.5 Low |
| A flaw has been found in projectsend up to r1720. Impacted is an unknown function of the component File Editor/Custom Download Aliases. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version r1945 is recommended to address this issue. Patch name: 334da1ea39cb12f6b6e98dd2f80bb033e0c7b845. It is advisable to upgrade the affected component. | ||||
| CVE-2025-13182 | 1 Pojoin | 1 H3blog | 2025-11-18 | 3.5 Low |
| A vulnerability was identified in pojoin h3blog 1.0. The impacted element is an unknown function of the file /admin/cms/category/addtitle. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. | ||||
| CVE-2025-13181 | 1 Pojoin | 1 H3blog | 2025-11-18 | 3.5 Low |
| A vulnerability was determined in pojoin h3blog 1.0. The affected element is an unknown function of the file /admin/cms/material/add. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | ||||
| CVE-2025-34277 | 1 Nagios | 1 Log Server | 2025-11-17 | 9.8 Critical |
| Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process. | ||||
| CVE-2024-48829 | 1 Dell | 1 Smartfabric Os10 | 2025-11-17 | 6.7 Medium |
| Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Control of Generation of Code ('Code Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | ||||
| CVE-2025-9647 | 1 Mtons | 1 Mblog | 2025-11-14 | 4.3 Medium |
| A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | ||||
| CVE-2025-23357 | 1 Nvidia | 1 Megatron-lm | 2025-11-14 | 7.8 High |
| NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | ||||
| CVE-2025-13058 | 1 Extplorer | 1 Extplorer | 2025-11-14 | 3.5 Low |
| A security flaw has been discovered in soerennb eXtplorer up to 2.1.15. The affected element is an unknown function of the component Filename Handler. The manipulation results in cross site scripting. The attack may be launched remotely. The patch is identified as 002def70b985f7012586df2c44368845bf405ab3. Applying a patch is advised to resolve this issue. | ||||
| CVE-2025-12733 | 2 Wordpress, Wpallimport | 2 Wordpress, Import Any Xml | 2025-11-14 | 8.8 High |
| The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval() on unsanitized user-supplied input in the pmxi_if function within helpers/functions.php. This makes it possible for authenticated attackers, with import capabilities (typically administrators), to inject and execute arbitrary PHP code on the server via crafted import templates. This can lead to remote code execution. | ||||
| CVE-2025-12813 | 2 Strix-bubol5, Wordpress | 2 Holiday Class Post Calendar, Wordpress | 2025-11-14 | 9.8 Critical |
| The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2025-5757 | 1 Carmelo | 1 Traffic Offense Reporting System | 2025-11-13 | 3.5 Low |
| A vulnerability was found in code-projects Traffic Offense Reporting System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /save-reported.php. The manipulation of the argument offence_id/vehicle_no/driver_license/name/address/gender/officer_reporting/offence leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||