πŸ” Search

Found 500 results for "cve"

Showing 121 - 140 of 500 results (limited to 500 results)

πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ November 04, 2025

CVE-2025-54863

Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 31, 2025

CVE-2025-29270

Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows attackers to gain access to the admin panel and complete control of the device.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 31, 2025

CVE-2025-52665

A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.Β  Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31). 
 Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.

EPSS: 10.6%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 28, 2025

CVE-2025-64095

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.

EPSS: 15.2%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 27, 2025

CVE-2025-61481

An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials.

EPSS: 0.0%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 23, 2025

CVE-2025-61934

A binding to an unrestricted IP address vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and read, write, or delete arbitrary files and folders on the target machine

EPSS: 0.2%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 23, 2025

CVE-2025-59503

Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.

EPSS: 0.2%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 22, 2025

CVE-2025-60206

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

EPSS: 0.0%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 22, 2025

CVE-2025-57870

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

EPSS: 0.2%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 22, 2025

CVE-2025-49060

Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Wastia wastia allows Upload a Web Shell to a Web Server.This issue affects Wastia: from n/a through < 1.1.3.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 22, 2025

CVE-2025-48106

Unrestricted Upload of File with Dangerous Type vulnerability in CMSSuperHeroes Clanora clanora allows Using Malicious Files.This issue affects Clanora: from n/a through < 1.3.1.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 20, 2025

CVE-2025-9574

Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects .Β  All firmware versions with the Serial Number from 2000 to 5166

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 17, 2025

CVE-2025-62168

Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication. The vulnerability is fixed in version 7.2. As a workaround, disable debug information in administrator mailto links generated by Squid by configuring squid.conf with email_err_data off.

EPSS: 0.2%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ October 07, 2025

CVE-2025-3450

An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ September 23, 2025

CVE-2025-9588

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Iron Mountain Archiving Services Inc. EnVision allows Command Injection.This issue affects enVision: before 250563.

EPSS: 0.3%
πŸ”’ CVE CRITICAL ⚠️ KEV CVSS: 10.0 β€’ September 18, 2025

CVE-2025-10035

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

EPSS: 59.3%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ September 09, 2025

CVE-2025-54261

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled. Scope is changed.

EPSS: 2.0%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ September 09, 2025

CVE-2025-42944

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.

EPSS: 0.1%
πŸ”’ CVE CRITICAL CVSS: 10.0 β€’ September 04, 2025

CVE-2025-54914

Azure Networking Elevation of Privilege Vulnerability

EPSS: 0.2%
πŸ”’ CVE CRITICAL ⚠️ KEV CVSS: 10.0 β€’ August 21, 2025

CVE-2025-43300

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

EPSS: 0.5%