Search
Search Results (337523 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5133 | 1 Lunary | 1 Lunary | 2025-10-15 | 8.1 High |
| In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET /v1/users/me/org` endpoint, which lists all users in a team. This allows any authenticated user to capture the recovery token of another user and subsequently change that user's password without consent, effectively taking over the account. The issue lies in the inclusion of the `recovery_token` attribute in the users object returned by the API. | ||||
| CVE-2025-62448 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62447 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62446 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62445 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62444 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62443 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62442 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62441 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-62440 | 2025-10-15 | N/A | ||
| Not used | ||||
| CVE-2025-9698 | 2025-10-14 | 6.8 Medium | ||
| The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2025-40615 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "TEXTO" parameter in /api/api_ajustes.php. | ||||
| CVE-2025-40616 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php. | ||||
| CVE-2025-40617 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 9.8 Critical |
| SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the "IDTIPO", "IDPISTA" and "IDSOCIO" parameters in /bkg_seleccionar_hora_ajax.php. | ||||
| CVE-2025-40618 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 9.8 Critical |
| SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the "IDRESERVA" parameter in /bkg_imprimir_comprobante.php | ||||
| CVE-2025-40619 | 1 Bookgy | 1 Bookgy | 2025-10-14 | 7.5 High |
| Bookgy does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles. | ||||
| CVE-2025-45611 | 1 Java-aodeng | 1 Hope-boot | 2025-10-14 | 9.8 Critical |
| Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request. | ||||
| CVE-2025-45613 | 1 Zhaojun1998 | 1 Shiro-action | 2025-10-14 | 7.5 High |
| Incorrect access control in the component /user/list of Shiro-Action v0.6 allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45614 | 1 Lcw2004 | 1 One | 2025-10-14 | 7.5 High |
| Incorrect access control in the component /api/user/manager of One v1.0 allows attackers to access sensitive information via a crafted payload. | ||||
| CVE-2025-45471 | 1 Lumigo | 1 Measure-cold-start | 2025-10-14 | 8.8 High |
| Insecure permissions in measure-cold-start v1.4.1 allows attackers to escalate privileges and compromise the customer cloud account. | ||||