Search
CVE Explorer
Search the full tracked CVE corpus across every vendor — by keyword, vendor, severity, CVSS band and publication date. Server-rendered; each filtered view has its own URL.
01
Filters
Submit to refine — state is held in the URL.
02
Results
10,065 matching · page 161/202Each CVE id links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2025-33190(opens NVD record) | Medium | 6.7 | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges. | Nov 25, 2025 |
| CVE-2025-33189(opens NVD record) | High | 7.8 | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges. | Nov 25, 2025 |
| CVE-2025-33188(opens NVD record) | High | 8.0 | NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service. | Nov 25, 2025 |
| CVE-2025-33187(opens NVD record) | Critical | 9.3 | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges. | Nov 25, 2025 |
| CVE-2025-36134(opens NVD record) | Low | 3.7 | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. | Nov 25, 2025 |
| CVE-2025-63674(opens NVD record) | Medium | 6.8 | An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. | Nov 24, 2025 |
| CVE-2024-47856(opens NVD record) | Critical | 9.8 | In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable. | Nov 24, 2025 |
| CVE-2025-36150(opens NVD record) | Medium | 5.9 | IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | Nov 24, 2025 |
| CVE-2025-64048(opens NVD record) | Medium | 6.1 | YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user input in the article title field. | Nov 24, 2025 |
| CVE-2025-64047(opens NVD record) | Medium | 6.1 | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | Nov 24, 2025 |
| CVE-2025-56400(opens NVD record) | High | 8.8 | Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | Nov 24, 2025 |
| CVE-2025-36112(opens NVD record) | Medium | 5.3 | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user. | Nov 24, 2025 |
| CVE-2025-56401(opens NVD record) | High | 7.6 | ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName. | Nov 24, 2025 |
| CVE-2025-36149(opens NVD record) | Medium | 6.3 | IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | Nov 21, 2025 |
| CVE-2025-64695(opens NVD record) | High | 7.8 | Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). If exploited, arbitrary code may be executed with the privilege of the user invoking the installer. | Nov 21, 2025 |
| CVE-2025-64299(opens NVD record) | Low | 2.7 | LogStare Collector improperly handles the password hash data. An administrative user may obtain the other users' password hashes. | Nov 21, 2025 |
| CVE-2025-62687(opens NVD record) | Medium | 6.5 | Cross-site request forgery vulnerability exists in LogStare Collector. If a user views a crafted page while logged, unintended operations may be performed. | Nov 21, 2025 |
| CVE-2025-62189(opens NVD record) | Medium | 4.3 | LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request. | Nov 21, 2025 |
| CVE-2025-61949(opens NVD record) | Medium | 5.4 | LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the user who logs in to the product's management page. | Nov 21, 2025 |
| CVE-2025-58097(opens NVD record) | High | 7.8 | The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege. | Nov 21, 2025 |
| CVE-2025-64660(opens NVD record) | High | 8.0 | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. | Nov 20, 2025 |
| CVE-2025-64655(opens NVD record) | High | 8.8 | Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network. | Nov 20, 2025 |
| CVE-2025-62459(opens NVD record) | High | 8.3 | Microsoft Defender Portal Spoofing Vulnerability | Nov 20, 2025 |
| CVE-2025-62207(opens NVD record) | High | 8.6 | Azure Monitor Elevation of Privilege Vulnerability | Nov 20, 2025 |
| CVE-2025-59245(opens NVD record) | Critical | 9.8 | Microsoft SharePoint Online Elevation of Privilege Vulnerability | Nov 20, 2025 |
| CVE-2025-49752(opens NVD record) | Critical | 10.0 | Azure Bastion Elevation of Privilege Vulnerability | Nov 20, 2025 |
| CVE-2025-36072(opens NVD record) | High | 8.8 | IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data. | Nov 20, 2025 |
| CVE-2025-36160(opens NVD record) | Medium | 5.3 | IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system. | Nov 20, 2025 |
| CVE-2025-36159(opens NVD record) | Medium | 6.2 | IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output. | Nov 20, 2025 |
| CVE-2025-36158(opens NVD record) | Medium | 5.1 | IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying. | Nov 20, 2025 |
| CVE-2025-36153(opens NVD record) | Medium | 6.1 | IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | Nov 20, 2025 |
| CVE-2025-25613(opens NVD record) | High | 7.5 | FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch, 8 x Gigabit RJ45, with 2 x 1Gb SFP, Fanless. All versions before 2.2.0D Build 135103 were discovered to transmit cookies for their web based administrative application containing usernames and passwords. These were transmitted in cleartext using simple base64 encoding during every POST request made to the server. | Nov 20, 2025 |
| CVE-2025-36161(opens NVD record) | Medium | 5.9 | IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | Nov 20, 2025 |
| CVE-2025-40605(opens NVD record) | Medium | 5.3 | A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path. | Nov 20, 2025 |
| CVE-2025-40604(opens NVD record) | Critical | 9.8 | Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution. | Nov 20, 2025 |
| CVE-2025-40601(opens NVD record) | High | 7.5 | A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash. | Nov 20, 2025 |
| CVE-2025-11001(opens NVD record) | High | 7.8 | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753. | Nov 19, 2025 |
| CVE-2025-13147(opens NVD record) | Medium | 5.3 | Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. | Nov 19, 2025 |
| CVE-2025-36371(opens NVD record) | Medium | 6.5 | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view. | Nov 19, 2025 |
| CVE-2025-13316(opens NVD record) | High | 8.1 | Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server. | Nov 19, 2025 |
| CVE-2025-13315(opens NVD record) | Critical | 9.8 | Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password. | Nov 19, 2025 |
| CVE-2025-58412(opens NVD record) | Medium | 4.7 | A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL. | Nov 19, 2025 |
| CVE-2025-11230(opens NVD record) | High | 7.5 | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | Nov 19, 2025 |
| CVE-2025-37162(opens NVD record) | Medium | 6.5 | A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | Nov 18, 2025 |
| CVE-2025-37161(opens NVD record) | High | 7.5 | A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations. | Nov 18, 2025 |
| CVE-2025-37163(opens NVD record) | High | 7.2 | A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system. | Nov 18, 2025 |
| CVE-2025-63258(opens NVD record) | Medium | 6.5 | A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129). Attackers are able to exploit this vulnerability via injecting crafted commands into the sessionid parameter. | Nov 18, 2025 |
| CVE-2025-61713(opens NVD record) | Medium | 4.2 | A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in Fortinet FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands. | Nov 18, 2025 |
| CVE-2025-59669(opens NVD record) | Medium | 5.3 | A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data | Nov 18, 2025 |
| CVE-2025-58692(opens NVD record) | High | 8.8 | An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. | Nov 18, 2025 |