Full List

Search

Recent Vulnerabilities

• CVE-2025-46616 • published on April 25, 2025 Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.
• CVE-2025-46617 • published on April 25, 2025 Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.
• CVE-2025-46599 • published on April 25, 2025 CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.
• CVE-2025-46613 • published on April 25, 2025 OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable.
• CVE-2025-2185 • published on April 24, 2025 ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.
• CVE-2025-3606 • published on April 24, 2025 Vestel AC Charger version 3.75.0 contains a vulnerability that could enable an attacker to access files containing sensitive information, such as credentials which could be used to further compromise the device.
• CVE-2025-46275 • published on April 24, 2025 WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.
• CVE-2025-46274 • published on April 24, 2025 UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.
• CVE-2025-46273 • published on April 24, 2025 UNI-NMS-Lite uses hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.
• CVE-2025-46272 • published on April 24, 2025 WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system.
• CVE-2025-46271 • published on April 24, 2025 UNI-NMS-Lite is vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data.
• CVE-2025-1294 • published on April 24, 2025 The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
• CVE-2025-3749 • published on April 24, 2025 The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
• CVE-2025-43861 • published on April 24, 2025 ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc.
• CVE-2022-44759 • published on April 24, 2025 Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications.
• CVE-2022-44760 • published on April 24, 2025 Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications.
• CVE-2023-37516 • published on April 24, 2025 Missing "no cache" headers in HCL Leap permits user directory information to be cached.
• CVE-2024-30127 • published on April 24, 2025 Missing "no cache" headers in HCL Leap permits sensitive data to be cached.
• CVE-2025-26382 • published on April 24, 2025 Under certain circumstances the iSTAR Configuration Utility (ICU) tool could have a buffer overflow issue
• CVE-2025-43859 • published on April 24, 2025 h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.