The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2025-46101 - SQL Injection vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version before 5.4.3 allows a remote attacker to obtain sensitive information via the ks parameter in json_scorm.php file
Published: June 23, 2025; 11:15:27 AM -0400 -
CVE-2025-46612 - The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console ... read CVE-2025-46612
Published: June 10, 2025; 11:15:25 AM -0400 -
CVE-2025-59238 - Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
Published: October 14, 2025; 1:16:05 PM -0400V3.1: 7.8 HIGH
-
CVE-2025-59243 - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: October 14, 2025; 1:16:06 PM -0400V3.1: 7.8 HIGH
-
CVE-2025-59221 - Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: October 14, 2025; 1:16:02 PM -0400V3.1: 7.0 HIGH
-
CVE-2025-46398 - In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation via read_objects function.
Published: April 23, 2025; 5:15:16 PM -0400V3.1: 5.5 MEDIUM
-
CVE-2025-59222 - Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: October 14, 2025; 1:16:02 PM -0400V3.1: 7.8 HIGH
-
CVE-2025-59232 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Published: October 14, 2025; 1:16:04 PM -0400V3.1: 7.1 HIGH
-
CVE-2025-59235 - Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Published: October 14, 2025; 1:16:05 PM -0400V3.1: 7.1 HIGH
-
CVE-2025-59218 - Azure Entra ID Elevation of Privilege Vulnerability
Published: October 09, 2025; 5:15:38 PM -0400V3.1: 9.6 CRITICAL
-
CVE-2025-59246 - Azure Entra ID Elevation of Privilege Vulnerability
Published: October 09, 2025; 5:15:38 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2025-46399 - A flaw was found in fig2dev. This vulnerability allows availability via local input manipulation via genge_itp_spline function.
Published: April 23, 2025; 5:15:17 PM -0400V3.1: 5.5 MEDIUM
-
CVE-2025-46400 - In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function.
Published: April 23, 2025; 5:15:17 PM -0400V3.1: 5.5 MEDIUM
-
CVE-2025-46546 - In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/expo... read CVE-2025-46546
Published: April 24, 2025; 11:15:20 PM -0400V3.1: 8.8 HIGH
-
CVE-2025-46547 - In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.
Published: April 24, 2025; 11:15:20 PM -0400V3.1: 6.1 MEDIUM
-
CVE-2025-46653 - Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in whic... read CVE-2025-46653
Published: April 26, 2025; 5:15:14 PM -0400V3.1: 8.8 HIGH
-
CVE-2025-46656 - python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.
Published: April 26, 2025; 6:15:17 PM -0400V3.1: 3.3 LOW
-
CVE-2025-10035 - A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
Published: September 18, 2025; 6:15:41 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2025-50175 - Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.
Published: October 14, 2025; 1:15:43 PM -0400V3.1: 7.8 HIGH
-
CVE-2025-59223 - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: October 14, 2025; 1:16:02 PM -0400V3.1: 7.8 HIGH