High · CVSS 7.5
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
Published Dec 3, 2025 · Updated Jul 7, 2026
High · CVSS 7.7
Path Traversal: '.../...//' vulnerability in reputeinfosystems ARForms allows Path Traversal.
This issue affects ARForms: from n/a before 7.0.2.
Published Dec 6, 2024 · Updated Jul 7, 2026
High · CVSS 7.5
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information.
Published Dec 9, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.1
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials.
Published Dec 9, 2024 · Updated Jul 5, 2026
High · CVSS 8.3
FNT Command 13.4.0 is vulnerable to Directory Traversal.
Published Dec 15, 2025 · Updated Jul 5, 2026
High · CVSS 8.8
FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module.
Published Dec 15, 2025 · Updated Jul 5, 2026
Medium · CVSS 4.8
A cross-site scripting (XSS) vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens.
Published Dec 16, 2024 · Updated Jul 5, 2026
High · CVSS 7.5
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.
Published Dec 16, 2024 · Updated Jul 5, 2026
High · CVSS 8
A Cross-Site Request Forgery (CSRF) in Sunbird DCIM dcTrack v9.1.2 allows authenticated attackers to escalate their privileges by forcing an Administrator user to perform sensitive requests in some admin screens.
Published Dec 16, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.8
An HTML injection vulnerability in Sunbird DCIM dcTrack 9.1.2 allows attackers authenticated as administrators to inject arbitrary HTML code in an admin screen.
Published Dec 16, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
A Cross Site Scripting (XSS) vulnerability in the profile.php of PHPGurukul Beauty Parlour Management System v1.1 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "Firstname" and "Last name" parameters.
Published Dec 10, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter.
Published Dec 10, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.
Published Dec 10, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.5
A hardcoded decryption key in Thinkware Cloud APK v4.3.46 allows attackers to access sensitive data and execute arbitrary commands with elevated privileges.
Published Dec 4, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.4
A SQL injection vulnerability was found in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/view-detail.php. This vulnerability affects the viewid parameter, where improper input sanitization allows attackers to inject malicious SQL queries.
Published Dec 2, 2024 · Updated Jul 5, 2026
Medium · CVSS 4.4
A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.
Published Dec 12, 2024 · Updated Jun 26, 2026
High · CVSS 7.6
A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.
Published Dec 31, 2024 · Updated Jun 26, 2026
High · CVSS 7.1
A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.
Published Dec 24, 2024 · Updated Jun 18, 2026
High · CVSS 7.8 · CISA KEV
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 8.1
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 8.1
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.5
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Critical · CVSS 9.8
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.8
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.8
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.8
Windows File Explorer Information Disclosure Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.6
Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 8.8
Windows IP Routing Management Snapin Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Input Method Editor (IME) Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.8
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.8
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.8
Windows Task Scheduler Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 5.5
Microsoft Office Remote Code Execution Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Medium · CVSS 6.5
Microsoft SharePoint Information Disclosure Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7
Microsoft Office Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 8.1
Microsoft Defender for Endpoint on Android Spoofing Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
High · CVSS 7.3
Microsoft System Center Elevation of Privilege Vulnerability
Published Dec 10, 2024 · Updated Jun 9, 2026
Critical · CVSS 9.8
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.
Published Dec 12, 2024 · Updated Jun 9, 2026
Medium · CVSS 5.3
Integer Overflow or Wraparound, Improper Validation of Specified Quantity in Input vulnerability in RestApp Inc. Online Ordering System allows Integer Attacks.
This issue affects Online Ordering System: 8.2.1.
NOTE: Vulnerability fixed in version 8.2.2 and does not exist before 8.2.1.
Published Dec 4, 2024 · Updated Jun 3, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.
This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024.
NOTE: The vendor was contacted and it was learned that the product is not supported.
Published Dec 9, 2024 · Updated Jun 2, 2026
Medium · CVSS 4.3
Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.
This issue affects WiFiBurada: before 1.0.5.
Published Dec 17, 2024 · Updated Jun 2, 2026
Medium · CVSS 6.5
Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables.
This issue affects WiFiBurada: before 1.0.5.
Published Dec 17, 2024 · Updated Jun 2, 2026
Critical · CVSS 9.9
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection.
This issue affects Piramit Automation: before 27.09.2024.
Published Dec 25, 2024 · Updated Jun 2, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.
This issue affects Saha365 App: before 30.09.2024.
Published Dec 17, 2024 · Updated Jun 2, 2026
Medium · CVSS 6.5
Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.
This issue affects NG Analyser: before 2.2.711.
Published Dec 17, 2024 · Updated Jun 2, 2026