Latest CVE Feed
-
7.3
HIGHCVE-2025-0003
Inadequate lock protection within Xilinx Run time may allow a local attacker to trigger a Use-After-Free condition potentially resulting in loss of confidentiality or availability... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Memory Corruption
-
8.7
HIGHCVE-2024-14007
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an expose... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Authentication
-
9.3
CRITICALCVE-2023-7330
Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content witho... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Misconfiguration
-
9.3
CRITICALCVE-2018-25126
Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML reques... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Injection
-
6.1
MEDIUMCVE-2025-64048
YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user inpu... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-64047
OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cross-Site Scripting
-
6.5
MEDIUMCVE-2025-63914
An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared ... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Denial of Service
-
8.8
HIGHCVE-2025-56400
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an at... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cross-Site Request Forgery
-
7.3
HIGHCVE-2025-52539
A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Memory Corruption
-
7.3
HIGHCVE-2025-0005
Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Denial of Service
-
5.3
MEDIUMCVE-2025-36112
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user.... Read more
- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Information Disclosure
-
5.5
MEDIUMCVE-2025-13466
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, cau... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Denial of Service
-
8.2
HIGHCVE-2025-13609
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the ... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Authentication
-
9.8
CRITICALCVE-2025-63958
MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Information Disclosure
-
6.5
MEDIUMCVE-2025-63953
A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cross-Site Request Forgery
-
5.7
MEDIUMCVE-2025-63952
A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-63435
Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated r... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Authentication
-
8.8
HIGHCVE-2025-63434
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on thei... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Supply Chain
-
4.6
MEDIUMCVE-2025-63433
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffi... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Cryptography
-
4.6
MEDIUMCVE-2025-63432
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by p... Read more
Affected Products :- Published: Nov. 24, 2025
- Modified: Nov. 24, 2025
- Vuln Type: Misconfiguration