| CVE-2025-46761 | Rejected reason: Not used | No Score |
| CVE-2025-46760 | Rejected reason: Not used | No Score |
| CVE-2025-46759 | Rejected reason: Not used | No Score |
| CVE-2025-46758 | Rejected reason: Not used | No Score |
| CVE-2025-46757 | Rejected reason: Not used | No Score |
| CVE-2025-46756 | Rejected reason: Not used | No Score |
| CVE-2025-46755 | Rejected reason: Not used | No Score |
| CVE-2025-46754 | Rejected reason: Not used | No Score |
| CVE-2025-46753 | Rejected reason: Not used | No Score |
| CVE-2025-46690 | Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request. | medium |
| CVE-2025-46689 | Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a namespaces/default/formats URI. | medium |
| CVE-2025-46688 | quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | medium |
| CVE-2025-46687 | quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | medium |
| CVE-2025-46675 | In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking. | low |
| CVE-2025-46674 | NASA CryptoLib before 1.3.2 uses Extended Procedures that are a Work in Progress (not intended for use during flight), potentially leading to a keystream oracle. | low |
| CVE-2025-46673 | NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS). | medium |
| CVE-2025-46672 | NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking. | low |
| CVE-2025-46661 | IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supplier. | critical |
| CVE-2025-46657 | Karaz Karazal through 2025-04-14 allows reflected XSS via the lang parameter to the default URI. | high |
| CVE-2025-46656 | python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. | low |
| CVE-2025-46655 | CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers. | medium |
| CVE-2025-46654 | CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file. | medium |
| CVE-2025-46653 | Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content. | low |
| CVE-2025-46652 | In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an archive file that bears Mark-of-the-Web, Mark-of-the-Web is not propagated to the extracted files. | medium |
| CVE-2025-46646 | In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954. | medium |
| CVE-2025-46618 | In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab | low |
| CVE-2025-46617 | Quantum StorNext Web GUI API before 7.2.4 grants access to internal StorNext configuration and unauthorized modification of some software configuration parameters via undocumented user credentials. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | high |
| CVE-2025-46616 | Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage. | critical |
| CVE-2025-46614 | In Snowflake ODBC Driver before 3.7.0, in certain code paths, the Driver logged the whole SQL query at the INFO level, aka Insertion of Sensitive Information into a Log File. | low |
| CVE-2025-46613 | OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable. | high |
| CVE-2025-46599 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials. | medium |
| CVE-2025-46595 | An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format. | medium |
| CVE-2025-46580 | There is a code-related vulnerability in the GoldenDB database product. Attackers can access system tables to disrupt the normal operation of business SQL. | high |
| CVE-2025-46579 | There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed. | high |
| CVE-2025-46578 | There are SQL injection vulnerabilities in multiple interfaces of the GoldenDB database product. Attackers can exploit these interfaces to inject commands and extract sensitive database information. | medium |
| CVE-2025-46577 | There is a SQL injection vulnerability in the GoldenDB database product. Attackers can inject commands to extract database information. | medium |
| CVE-2025-46576 | There is a Permission Management and Access Control vulnerability in the GoldenDB database product. Attackers can manipulate requests to bypass privilege restrictions and delete content. | medium |
| CVE-2025-46575 | There is an information disclosure vulnerability in the GoldenDB database product. Attackers can exploit error messages to obtain the system's sensitive information. | medium |
| CVE-2025-46574 | There is an information disclosure vulnerability in the GoldenDB database product. Attackers can exploit error messages to obtain the system's sensitive information. | medium |
| CVE-2025-46547 | In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue. | medium |
| CVE-2025-46546 | In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/. | low |
| CVE-2025-46545 | In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires. | medium |
| CVE-2025-46544 | In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | medium |
| CVE-2025-46542 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeXpert Xpert Tab allows Stored XSS. This issue affects Xpert Tab: from n/a through 1.3. | medium |
| CVE-2025-46541 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elrata_ WP-reCAPTCHA-bp allows Stored XSS. This issue affects WP-reCAPTCHA-bp: from n/a through 4.1. | medium |
| CVE-2025-46540 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Mok GNA Search Shortcode allows Stored XSS. This issue affects GNA Search Shortcode: from n/a through 0.9.5. | medium |
| CVE-2025-46538 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webplanetsoft Inline Text Popup allows DOM-Based XSS. This issue affects Inline Text Popup: from n/a through 1.0.0. | medium |
| CVE-2025-46536 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RichardHarrison Carousel-of-post-images allows DOM-Based XSS. This issue affects Carousel-of-post-images: from n/a through 1.07. | medium |
| CVE-2025-46535 | Missing Authorization vulnerability in AlphaEfficiencyTeam Custom Login and Registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Login and Registration: from n/a through 1.0.0. | medium |
| CVE-2025-46534 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DanielRiera Image Style Hover allows DOM-Based XSS. This issue affects Image Style Hover: from n/a through 1.0.6. | medium |
