CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.16)

CVE-2025-25005
MediumEPSS 66%

Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network.

CVE-2025-8852
Medium

In WuKongOpenSource WukongCRM 11.0, a vulnerability in the /adminFile/upload file of the API Response Handler component leads to information exposure through error messages. The attack can be performed remotely, and exploit details are publicly available.

CVE-2025-7195
Medium

The vulnerability in Operator-SDK before version 0.15.2 involves an insecure user_setup script that sets permissions of the /etc/passwd file to 664 (group-writable) with group ownership root (gid=0) during image build. An attacker who can execute commands within the container, even as a non-root user, can leverage membership in the root group to modify /etc/passwd and add a new user with any arbitrary UID, including 0, leading to full root privileges within the container.

CVE-2024-55401
Medium

An issue in 4C Strategies Exonaut before version 22.4 allows attackers to perform a directory traversal attack. This vulnerability enables reading files outside the intended directory.

CVE-2024-52680
Medium

EyouCMS 1.6.7 is vulnerable to Cross Site Scripting (XSS) in /login.php?m=admin&c=System&a=web&lang=cn. An attacker can inject malicious JavaScript code that executes in the victim's browser.

CVE-2025-51058
Medium

An SSRF vulnerability in Vedo Suite 2024.17 allows authenticated attackers to send HTTP requests to arbitrary external paths via the "file" parameter in the /api_vedo/video/preview endpoint.

CVE-2025-51057
Medium

A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'.

CVE-2025-51054
Medium

A vulnerability in Vedo Suite 2024.17 allows unauthenticated remote attackers to obtain a valid high-privilege JWT token by sending an empty HTTP POST request to the /autologin/ endpoint, due to incorrect access control.

CVE-2025-51053
Medium

A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary JavaScript or HTML code, potentially leading to code execution in the victim's browser.

CVE-2025-51052
Medium

A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.

CVE-2024-55402
Medium

An access control issue was discovered in 4C Strategies Exonaut prior to version 22.4, which may allow unauthorized users to access resources without proper permissions.

CVE-2024-55399
Medium

A Server-Side Request Forgery (SSRF) vulnerability was discovered in 4C Strategies Exonaut prior to version 21.6.2.1-1. This allows an attacker to send requests from the server to internal network resources.

CVE-2024-55398
Medium

Insecure permissions were discovered in 4C Strategies Exonaut prior to version 22.4, potentially allowing unauthorized access to resources.

CVE-2025-52237
Medium

In SSCMS version 7.3.1, the component /stl/actions/download?filePath is vulnerable to directory traversal. This allows an attacker to read arbitrary files outside the intended directory.

CVE-2025-52078
Medium

A file upload vulnerability exists in Writebot AI Content Generator SaaS React Template through version 4.0.0, allowing remote attackers to escalate privileges via a crafted POST request to the /file-upload endpoint.

CVE-2025-50592
Medium

A Cross-Site Scripting (XSS) vulnerability was found in SeaCMS before version 13.2 via the 'vid' parameter in Upload/js/player/dmplayer/player. It allows a remote attacker to inject malicious JavaScript code into the page.

CVE-2025-51857
Medium

An XSS vulnerability in the reconcile method of the AttachmentReconciler class in Halo system v.2.20.18LTS and earlier allows an attacker to inject malicious scripts.

CVE-2025-51627
Medium

Incorrect access control in CaricaVerbale in Agenzia Impresa Eccobook v2.81.1 allows authenticated attackers with low-level access to escalate privileges to Administrator.

CVE-2025-51060
Medium

A vulnerability in CPUID cpuz.sys version 1.0.5.4 allows an attacker to use DeviceIoControl with unvalidated parameters to perform RDMSR and WRMSR operations. This enables modification of the MSR_LSTAR register and hooking of the KiSystemCall64 syscall, followed by ROP-based exploitation to disable the SMAP flag in CR4 and execute code in kernel context.

CVE-2025-46206
Medium

An infinite recursion vulnerability was found in Artifex MuPDF versions 1.25.5 and 1.25.6 within the `mutool clean` utility. A remote attacker can cause a denial of service (DoS) by supplying a crafted PDF file with cyclic /Next references in the outline structure.

PreviousPage 316 of 605Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS