| CVE-2024-37396 | A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability. | medium |
| CVE-2024-37395 | A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue. | medium |
| CVE-2024-37394 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability. | medium |
| CVE-2025-5970 | A vulnerability was found in PHPGurukul Restaurant Table Booking System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/add-subadmin.php. The manipulation of the argument fullname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | low |
| CVE-2025-5969 | A vulnerability has been found in D-Link DIR-632 FW103B08 and classified as critical. Affected by this vulnerability is the function FUN_00425fd8 of the file /biurl_grou of the component HTTP POST Request Handler. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | high |
| CVE-2025-47977 | Improper neutralization of input during web page generation ('cross-site scripting') in Nuance Digital Engagement Platform allows an unauthorized attacker to perform spoofing over a network. | high |
| CVE-2025-47969 | Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally. | medium |
| CVE-2025-47968 | Improper input validation in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-47962 | Improper access control in Windows SDK allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-47957 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47956 | External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally. | medium |
| CVE-2025-47955 | Improper privilege management in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-47953 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47176 | '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally. | high |
| CVE-2025-47175 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47174 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47173 | Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47172 | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | high |
| CVE-2025-47171 | Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally. | medium |
| CVE-2025-47170 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47169 | Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47168 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47167 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47166 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | high |
| CVE-2025-47165 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47164 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47163 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | high |
| CVE-2025-47162 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-47160 | Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network. | medium |
| CVE-2025-47108 | Substance3D - Painter versions 11.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-47106 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium |
| CVE-2025-47105 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium |
| CVE-2025-47104 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium |
| CVE-2025-43593 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-43590 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-43589 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-43558 | InDesign Desktop versions ID20.2, ID19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-33112 | IBM AIX 7.3 and IBM VIOS 4.1.1 Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary code due to improper neutralization of pathname input. | high |
| CVE-2025-33075 | Improper link resolution before file access ('link following') in Windows Installer allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-33073 | Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network. | high |
| CVE-2025-33071 | Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-33070 | Use of uninitialized resource in Windows Netlogon allows an unauthorized attacker to elevate privileges over a network. | high |
| CVE-2025-33069 | Improper verification of cryptographic signature in App Control for Business (WDAC) allows an unauthorized attacker to bypass a security feature locally. | medium |
| CVE-2025-33068 | Uncontrolled resource consumption in Windows Standards-Based Storage Management Service allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-33067 | Improper privilege management in Windows Kernel allows an unauthorized attacker to elevate privileges locally. | high |
| CVE-2025-33066 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-33065 | Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally. | medium |
| CVE-2025-33064 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | high |
| CVE-2025-33063 | Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally. | medium |
| CVE-2025-33062 | Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally. | medium |
