NVD Vulnerability Information Top

Show Search Menu

Vendor Name
プロダクト・サービス名
Title
CRITICAL
HIGH
MEDIUM
LOW
CVE
CWE
In descending order of publication date
In descending order of update date
Number of items displayed

NVD Vulnerability Information Top

You can search the list of vulnerabilities managed by the NVD (National Vulnerability Database).
Since vulnerability information is often updated before JVN (Japan Vulnerability Note), vulnerabilities that are not listed in JVN may be updated.

If there is a vulnerability related to JVN (Japan Vulnerability Note), the information will be displayed on the detail page.

To search by CWE, please refer to the CWE Overview and check the CWE number.

CRITICAL
HIGH
MEDIUM
LOW

Update Date:April 26, 2025, 4:08 a.m.

No	CVSS	Level Attach Vector	Vendor Name	Project Name	Title	CWE	CVE	Update Date	Publication Date	Show Affected	Exploit PoC Search
1	-	-	-	-	Codeastro Bus Ticket Booking System v1.0 is vulnerable to SQL injection via the kodetiket parameter in /BusTicket-CI/tiket/cekorder. New	-	CVE-2025-25775	2025-04-26 02:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

2	-	-	-	-	A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk. New	-	CVE-2025-3638	2025-04-26 02:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

3	-	-	-	-	Multiple SQL injection vulnerabilities in EasyVirt DCScope <= 8.6.4 and CO2Scope <= 1.3.4 allows remote authenticated attackers to execute arbitrary SQL commands via the (1) timeago, (2) user, (3) fi… New	-	CVE-2025-28076	2025-04-26 02:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

4	-	-	-	-	An issue in the Printer Manager Systm of Entrust Corp Printer Manager D3.18.4-3 and below allows attackers to execute a directory traversal via a crafted POST request. New	-	CVE-2025-28354	2025-04-26 02:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

5	-	-	-	-	ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx. New	-	CVE-2025-29529	2025-04-26 02:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

6	-	-	-	-	Insecure Direct Object Reference (IDOR) in Codeastro Bus Ticket Booking System v1.0 allows unauthorized access to user profiles. By manipulating the user ID in the URL, an attacker can access another… New	-	CVE-2025-25777	2025-04-26 02:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

7	6.5	MEDIUM Network	dragonflydb	dragonfly	DragonflyDB Dragonfly before 1.27.0 allows authenticated users to cause a denial of service (daemon crash) via a crafted Redis command. The validity of the scan cursor was not checked. Update	NVD-CWE-noinfo	CVE-2025-26268	2025-04-26 01:33	2025-04-18	Show	GitHub Exploit DB Packet Storm

8	-	-	think	tk-rt-wr135g_firmware	An issue in Think Router Tk-Rt-Wr135G V3.0.2-X000 allows attackers to bypass authentication via a crafted cookie. Update	-	CVE-2024-55211	2025-04-26 01:31	2025-04-18	Show	GitHub Exploit DB Packet Storm

9	6.5	MEDIUM Network	jetbrains	rubymine	In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces Update	CWE-1188 Insecure Default Initialization of Resource	CVE-2025-43015	2025-04-26 01:30	2025-04-18	Show	GitHub Exploit DB Packet Storm

10	-	-	lm21	twonav	An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function. Update	-	CVE-2025-29449	2025-04-26 01:28	2025-04-18	Show	GitHub Exploit DB Packet Storm

11	-	-	mybb	mybb	An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators a… Update	-	CVE-2025-29460	2025-04-26 01:27	2025-04-18	Show	GitHub Exploit DB Packet Storm

12	-	-	-	-	Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors… New	-	CVE-2025-3928	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

13	5.0	MEDIUM Local	-	-	An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. New	-	CVE-2025-2070	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

14	5.0	MEDIUM Local	-	-	A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user. New	-	CVE-2025-2069	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

15	5.0	MEDIUM Local	-	-	An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user. New	-	CVE-2025-2068	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

16	-	-	-	-	Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious f… New	CWE-79 Cross-site Scripting	CVE-2024-56156	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

17	-	-	-	-	Rejected reason: Not used New	-	CVE-2021-32601	2025-04-26 01:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

18	-	-	-	-	In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab New	CWE-79 Cross-site Scripting	CVE-2025-46618	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

19	-	-	-	-	In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible New	CWE-23 Relative Path Traversal	CVE-2025-46433	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

20	-	-	-	-	In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs New	CWE-532 Inclusion of Sensitive Information in Log Files	CVE-2025-46432	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

21	-	-	-	-	Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presente… New	CWE-284 CWE-862 Improper Access Control Missing Authorization	CVE-2025-43862	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

22	-	-	-	-	In JetBrains Rider before 2025.1.2 custom archive unpacker allowed arbitrary file overwrite during remote debug session New	CWE-23 Relative Path Traversal	CVE-2025-43016	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

23	-	-	-	-	A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve. New	-	CVE-2025-3647	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

24	-	-	-	-	A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses. New	-	CVE-2025-3645	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

25	-	-	-	-	A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify. New	-	CVE-2025-3644	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

26	-	-	-	-	A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk. New	-	CVE-2025-3643	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

27	-	-	-	-	A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA re… New	-	CVE-2025-3642	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

28	-	-	-	-	A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox re… New	-	CVE-2025-3641	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

29	-	-	-	-	A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they di… New	-	CVE-2025-3640	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

30	-	-	-	-	A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occu… New	-	CVE-2025-3637	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

31	-	-	-	-	A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks. New	-	CVE-2025-3636	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

32	-	-	-	-	A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attack… New	-	CVE-2025-3635	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

33	-	-	-	-	A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities. New	-	CVE-2025-3628	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

34	-	-	-	-	A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentica… New	-	CVE-2025-3627	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

35	-	-	-	-	A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had … New	-	CVE-2025-3625	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

36	-	-	-	-	Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to b… New	CWE-94 Code Injection	CVE-2025-32432	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

37	-	-	-	-	A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades. New	-	CVE-2025-32045	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

38	-	-	-	-	A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces retu… New	-	CVE-2025-32044	2025-04-26 00:15	2025-04-26	Show	GitHub Exploit DB Packet Storm

39	-	-	-	-	A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Depending on race conditions and configuration, this vulnerability may lead to local/cluster unauthorized a… New	-	CVE-2025-37088	2025-04-26 00:15	2025-04-23	Show	GitHub Exploit DB Packet Storm

40	-	-	-	-	TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). New	-	CVE-2025-43946	2025-04-26 00:15	2025-04-23	Show	GitHub Exploit DB Packet Storm

41	-	-	-	-	A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses … New	-	CVE-2025-3634	2025-04-25 23:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

42	-	-	-	-	Andamiro Pump It Up 20th Anniversary (aka Double X or XX/2019) 1.00.0-2.08.3 allows a physically proximate attacker to cause a denial of service (application crash) via certain deselect actions. New	-	CVE-2024-57375	2025-04-25 23:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

43	-	-	-	-	An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code tha… New	-	CVE-2024-6199	2025-04-25 22:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

44	-	-	-	-	The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulner… New	-	CVE-2024-6198	2025-04-25 22:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

45	5.3	MEDIUM Network	-	-	The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in a… New	CWE-862 Missing Authorization	CVE-2025-3912	2025-04-25 21:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

46	5.5	MEDIUM Network	-	-	IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intend… New	CWE-79 Cross-site Scripting	CVE-2025-2986	2025-04-25 21:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

47	9.8	CRITICAL Network	-	-	The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1… New	CWE-266 Incorrect Privilege Assignment	CVE-2025-2470	2025-04-25 21:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

48	8.1	HIGH Network	-	-	The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8. This is due to improper configurations in the 'jobsearch_xing_respo… New	CWE-287 Improper Authentication	CVE-2024-11917	2025-04-25 21:15	2025-04-25	Show	GitHub Exploit DB Packet Storm

49	-	-	-	-	In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix off-by-one error in build_prologue() Vincent reported that running BPF progs with tailcalls on LoongArch caus… Update	-	CVE-2025-37893	2025-04-25 20:15	2025-04-18	Show	GitHub Exploit DB Packet Storm

50	-	-	-	-	In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() func… Update	-	CVE-2025-37838	2025-04-25 20:15	2025-04-19	Show	GitHub Exploit DB Packet Storm