Medium · CVSS 6.1
The mediapool feature of the Redaxo Core CMS application v 5.17.1 is vulnerable to Cross Site Scripting(XSS) which allows a remote attacker to escalate privileges
Published Nov 19, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
A stored cross-site scripting (XSS) vulnerability was identified in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/profile.php. This vulnerability allows authenticated users to inject malicious XSS scripts into the profile name field.
Published Nov 26, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.9
SemCms v4.8 was discovered to contain a SQL injection vulnerability. This allows an attacker to execute arbitrary code via the ldgid parameter in the SEMCMS_SeoAndTag.php component.
Published Nov 20, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload.
Published Nov 22, 2024 · Updated Jul 5, 2026
High · CVSS 8.1
Tenda AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function 'fromSetSysTime.
Published Nov 19, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file.
Published Nov 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers to execute arbitrary code via uploading a crafted .conf file.
Published Nov 21, 2024 · Updated Jul 5, 2026
High · CVSS 8.8
An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code via uploading a crafted .xml file.
Published Nov 21, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.
Published Nov 26, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.2
Quectel EC25-EUX EC25EUXGAR08A05M1G was discovered to contain a stack overflow.
Published Nov 27, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.
Published Nov 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.3
An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function.
Published Nov 15, 2024 · Updated Jul 5, 2026
High · CVSS 8.8
SeaCms 13.1 is vulnerable to code injection in the notification module of the member message notification module in the backend user module, due to unsafe handling of the "notify" variable in admin_notify.php.
Published Nov 8, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.3
An issue in the Bluetooth Low Energy implementation of Realtek RTL8762E BLE SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ll_terminate_ind packet.
Published Nov 7, 2024 · Updated Jul 5, 2026
Low · CVSS 2.4
Hathway Skyworth Router CM5100-511 v4.1.1.24 was discovered to store sensitive information about USB and Wifi connected devices in plaintext.
Published Nov 15, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.5
An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality.
Published Nov 8, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
An incorrect access control issue in HomeServe Home Repair' android app - 3.3.4 allows a physically proximate attacker to escalate privileges via the fingerprint authentication function.
Published Nov 8, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.8
Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read Exchange account passwords via HTTP GET request.
Published Nov 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.8
Insufficiently protected credentials in AD/LDAP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send AD/LDAP administrators account passwords to an arbitrary server via HTTP POST request.
Published Nov 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.8
Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read SMTP accounts passwords via HTTP GET request.
Published Nov 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.8
Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allow remote administrators to read proxy-server accounts passwords via HTTP GET request.
Published Nov 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.8
Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request.
Published Nov 4, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID.
Published Nov 1, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.3
masterstack_imgcap v0.0.1 was discovered to contain a SQL injection vulnerability via the endpoint /submit.
Published Nov 25, 2024 · Updated Jul 4, 2026
Medium · CVSS 5.5
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
Published Nov 11, 2024 · Updated Jun 29, 2026
Medium · CVSS 5.3
A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.
Published Nov 21, 2024 · Updated Jun 29, 2026
Medium · CVSS 5.3
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
Published Nov 21, 2024 · Updated Jun 29, 2026
Medium · CVSS 4.9
A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options.
Published Nov 15, 2024 · Updated Jun 26, 2026
Medium · CVSS 5.3
In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.
Published Nov 12, 2024 · Updated Jun 26, 2026
Medium · CVSS 5.3
In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender.
Published Nov 12, 2024 · Updated Jun 26, 2026
Medium · CVSS 6.5
In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.
Published Nov 12, 2024 · Updated Jun 26, 2026
Medium · CVSS 5.5
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
Published Nov 26, 2024 · Updated Jun 26, 2026
High · CVSS 7.8
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Published Nov 26, 2024 · Updated Jun 26, 2026
High · CVSS 8.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection.
This issue affects Website Template: before 29.04.2024.
Published Nov 18, 2024 · Updated Jun 3, 2026
Medium · CVSS 4.8
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Smarttek Informatics Smart Doctor's allows Stored XSS required admin privileges.
This issue affects Smart Doctor: through 21.11.2024.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 21, 2024 · Updated Jun 3, 2026
High · CVSS 7.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknogis Informatics Closed Circuit Vehicle Tracking Software allows SQL Injection, Blind SQL Injection.
This issue affects Closed Circuit Vehicle Tracking Software: through 21.11.2024.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 21, 2024 · Updated Jun 3, 2026
Medium · CVSS 5.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kion Computer KION Exchange Programs Software allows Reflected XSS.
This issue affects KION Exchange Programs Software: before 1.21.9092.29966.
Published Nov 21, 2024 · Updated Jun 3, 2026
Medium · CVSS 5.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ITG Computer Technology vSRM Supplier Relationship Management System allows Reflected XSS, Cross-Site Scripting (XSS).
This issue affects vSRM Supplier Relationship Management System: before 28.08.2024.
Published Nov 14, 2024 · Updated Jun 3, 2026
High · CVSS 8.2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection.
This issue affects ERP: through 22.11.2024.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 22, 2024 · Updated Jun 2, 2026
Medium · CVSS 6.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Special Minds Design and Software e-Commerce allows SQL Injection.
This issue affects e-Commerce: before 22.11.2024.
Published Nov 22, 2024 · Updated Jun 2, 2026
Critical · CVSS 9.3
Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users.
This issue affects Nomysem: before 13.10.2024.
Published Nov 12, 2024 · Updated Jun 2, 2026
High · CVSS 8.7
Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse.
This issue affects Application Security Platform (ASP): v1.4.25.188.
Published Nov 18, 2024 · Updated Jun 2, 2026
Medium · CVSS 6.9
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings.
This issue affects PosPratik: before v3.2.1.
Published Nov 4, 2024 · Updated Jun 2, 2026
Medium · CVSS 4.6
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AirTies Air4443 Firmware allows Cross-Site Scripting (XSS).
This issue affects Air4443 Firmware: through 14102024.
NOTE: The vendor was contacted and it was learned that the product classified as End-of-Life and End-of-Support.
Published Nov 13, 2024 · Updated Jun 2, 2026
Critical · CVSS 9.2
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection, Privilege Escalation.
This issue affects CoslatV3: through 3.1069.
NOTE: The vendor was contacted and it was learned that the product is not supported.
Published Nov 4, 2024 · Updated Jun 2, 2026
High · CVSS 8.6
Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection.
This issue affects Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS): before 2024.
Published Nov 15, 2024 · Updated Jun 2, 2026
Medium · CVSS 4.8
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS).
This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.
Published Nov 18, 2024 · Updated Jun 2, 2026
Medium · CVSS 5.5
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.
This issue affects django Filer: from 3 before 3.3.
Published Nov 20, 2024 · Updated Jun 2, 2026
Medium · CVSS 6.9
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django CMS Attributes Fields allows Stored XSS.
This issue affects django CMS Attributes Fields: before 4.0.
Published Nov 20, 2024 · Updated Jun 2, 2026
High · CVSS 7.4
A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.
Published Nov 26, 2024 · Updated May 18, 2026