The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2025-46761 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46760 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46759 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46758 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46757 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46756 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46755 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46754 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46753 | Rejected reason: Not used | -- | Apr 29, 2025 | n/a |
| CVE-2025-46690 | Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46689 | Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a namespaces/default/formats URI. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46688 | quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46687 | quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46675 | In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46674 | NASA CryptoLib before 1.3.2 uses Extended Procedures that are a Work in Progress (not intended for use during flight), potentially leading to a keystream oracle. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46673 | NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS). | -- | Apr 27, 2025 | n/a |
| CVE-2025-46672 | NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46661 | IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46657 | Karaz Karazal through 2025-04-14 allows reflected XSS via the lang parameter to the default URI. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46656 | python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46655 | CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46654 | CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46653 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not cryptographically secure. (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46652 | In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46646 | In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954. | -- | Apr 26, 2025 | n/a |
| CVE-2025-46618 | In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab | -- | Apr 25, 2025 | n/a |
| CVE-2025-46617 | Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46616 | Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46614 | In Snowflake ODBC Driver before 3.7.0, in certain code paths, the Driver logged the whole SQL query at the INFO level, aka Insertion of Sensitive Information into a Log File. | -- | Apr 28, 2025 | n/a |
| CVE-2025-46613 | OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46599 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46595 | An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn\'t verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46580 | There is a code-related vulnerability in the GoldenDB database product. Attackers can access system tables to disrupt the normal operation of business SQL. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46579 | There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46578 | There are SQL injection vulnerabilities in multiple interfaces of the GoldenDB database product. Attackers can exploit these interfaces to inject commands and extract sensitive database information. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46577 | There is a SQL injection vulnerability in the GoldenDB database product. Attackers can inject commands to extract database information. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46576 | There is a Permission Management and Access Control vulnerability in the GoldenDB database product. Attackers can manipulate requests to bypass privilege restrictions and delete content. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46575 | There is an information disclosure vulnerability in the GoldenDB database product. Attackers can exploit error messages to obtain the system\'s sensitive information. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46574 | There is an information disclosure vulnerability in the GoldenDB database product. Attackers can exploit error messages to obtain the system\'s sensitive information. | -- | Apr 27, 2025 | n/a |
| CVE-2025-46547 | In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46546 | In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46545 | In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46544 | In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46542 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ThemeXpert Xpert Tab allows Stored XSS. This issue affects Xpert Tab: from n/a through 1.3. | -- | Apr 24, 2025 | n/a |
| CVE-2025-46541 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in elrata_ WP-reCAPTCHA-bp allows Stored XSS. This issue affects WP-reCAPTCHA-bp: from n/a through 4.1. | -- | Apr 24, 2025 | n/a |
| CVE-2025-46540 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Chris Mok GNA Search Shortcode allows Stored XSS. This issue affects GNA Search Shortcode: from n/a through 0.9.5. | -- | Apr 24, 2025 | n/a |
| CVE-2025-46538 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in webplanetsoft Inline Text Popup allows DOM-Based XSS. This issue affects Inline Text Popup: from n/a through 1.0.0. | -- | Apr 24, 2025 | n/a |
| CVE-2025-46536 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in RichardHarrison Carousel-of-post-images allows DOM-Based XSS. This issue affects Carousel-of-post-images: from n/a through 1.07. | -- | Apr 24, 2025 | n/a |
| CVE-2025-46535 | Missing Authorization vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Login and Registration: from n/a through 1.0.0. | -- | Apr 25, 2025 | n/a |
| CVE-2025-46534 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DanielRiera Image Style Hover allows DOM-Based XSS. This issue affects Image Style Hover: from n/a through 1.0.6. | -- | Apr 24, 2025 | n/a |
